UPDATING  DATABASES  WITH  INCOMPLETE 
INFORMATION 


U.S.  DEPARTMENT  OF  COMMERCE 
National  Technical  Information  Service 


January  1987 


Report  No.  STAN-CS-87-1143 


PB96 - 146006 


Updating  Databases  with  Incomplete  Information 

by 


Marianne  S.  Winslett 


Department  of  Computer  Science 

Slanford  University 
Stanford.  CA  94305 


REPRODUCED  BY:  EfTgfc 

U.S  Depart ment  of  Commerce 
Naiional  Technical  Information  Service 
Springfield,  Virginia  22161 


Updating  Databases  With  Incomplete  Information 


A  DISSERTATION 

SUBMITTED  TO  THE  DEPARTMENT  OF  COMPUTER  SCIENCE 
AND  THE  COMMITTEE  ON  GRADUATE  STUDIES 
OF  STANFORD  UNIVERSITY 
IN  PARTIAL  FULFILLMENT  OF  THE  REQUIREMENTS 
FOR  THE  DEGREE  OF 
DOCTOR  OF  PHILOSOPHY 


By 

Marianne  Southall  Winslett 
December  1986 


©  COPYRIGHT  1987 
by  Marianne  Southall  Winslett 


In  memory  of  my  mother,  Virginia  Custis  Winslett 


tit 


ACKNOWLEDGMENTS 


All  three  members  of  my  reading  committee  have  played  vital  roles  in  the 
development  of  this  dissertation.  I  would  not  have  gotten  past  year  one  without 
the  encouragement  of  Christos  Papadimitriou.  My  claims  would  have  been  flimsy 
indeed  without  the  emphasis  on  rigor  of  Moshe  Vardi.  And  I  would  long  ago  have 
been  derailed  from  my  course  without  the  academic  acumen  of  Gio  Wiederhold 
to  illuminate  the  potholed  road  of  scholarly  life. 

When  the  members  of  the  KBMS  project  fell  under  Gio’s  edict  to  produce 
conference  papers  in  the  summer  of  1983,  Arthur  Keller  got  me  started  on  the 
topic  of  incomplete  information  when  we  wrote  a  paper  together,  a  most  produc¬ 
tive  collaboration.  A  year  later  incomplete  information  became  my  dissertation 
topic  as  well,  and  I  monopolized  Christos’  spare  moments  unmercifully  for  quite 
a  time  thereafter  with  prattle  of  “marked  nothings”  and  “empty  facts”.  More 
recently,  Christos  suggested  storing  rather  than  executing  expensive  updates  as 
a  strategy  for  cost  reduction,  a  line  of  attack  that  proved  most  fruitful. 

In  the  fall  of  1985  Moshe  Vardi  joined  my  reading  committee.  Moshe’s 
advising  technique  has  been  to  vehemently  insist  that  he  doesn’t  know  what  I’m 
talking  about.  By  the  time  I  explain  something  to  his  satisfaction,  there  is  a  solid 
theorem  and  proof  in  the  explanation.  Moshe’s  liberal  use  of  punctuation  (“?”) 
on  drafts  has  led  to  a  much  more  comprehensible  presentation.  He  has  pointed 
out  numerous  errors  and  omissions,  and  provided  invaluable  discussion  on  many 
points. 

Conversations  with  Devika  Subramanian  made  me  realize  that  this  work 
would  also  be  of  interest  to  the  artificial  intelligence  world;  but  I  would  never 
have  been  able  to  format  my  results  in  a  form  palatable  to  that  community 
without  the  AI  perspective  and  suggestions  of  David  C.  Wilkins.  Many  of  the 
results  presented  in  this  thesis  have  appeared  elsewhere  [Winslett  86abc],  and 
David  redlined  many  a  draft  of  the  original  articles.  He  also  read  the  final  draft 
of  this  thesis  and  compiled  the  index  of  definitions.  Mark  Manasse  provided  logic 
expertise  during  the  creation  of  principle  P5  of  Chapter  8.  My  officemate,  Peter 
K.  Rathmann,  helped  with  the  ^/’^-completeness  results  in  Chapter  6,  and  wisely 
left  town  as  the  thesis  due  date  approached. 

I  am  indebted  to  AT&T  Bell  Laboratories,  especially  Andy  Salazar,  Herb 
Burton,  Charlie  Roberts,  Mark  Rochkind,  and  Bob  Lucky,  for  encouragement 
to  leave  their  employ  and  come  back  to  school;  and  also  for  the  AT&T  Bell 
Laboratories  fellowship  provided  during  my  years  of  graduate  study.  Additional 
support  was  provided  by  DARPA  under  a  series  of  grants  to  the  Knowledge  Based 
Management  Systems  projects,  with  Gio  Wiederhold  as  principal  investigator. 


iv 


ABSTRACT 


Suppose  one  wishes  to  construct,  use,  and  maintain  a  database  of  facts  about 
the  real  world,  even  though  the  state  of  that  world  is  only  partially  known.  In 
the  artificial  intelligence  domain,  this  problem  arises  when  an  agent  has  a  base 
set  of  beliefs  that  reflect  partial  knowledge  about  the  world,  and  then  tries  to 
incorporate  new,  possibly  contradictory  knowledge  into  this  set  of  beliefs.  In 
the  database  domain,  one  facet  of  this  situation  is  the  well-known  null  values 
problem.  We  choose  to  represent  such  a  database  as  a  logical  theory,  and  view 
the  models  of  the  theory  as  representing  possible  states  of  the  world  that  axe 
consistent  with  all  known  information. 

How  can  new  information  be  incorporated  into  the  database?  For  example, 
given  the  new  information  that  “b  or  c  is  true,”  how  can  one  get  rid  of  all  outdated 
information  about  b  and  c,  add  the  new  information,  and  yet  in  the  process 
not  disturb  any  other  information  in  the  database?  In  current-day  database 
management  systems,  the  difficult  and  tedious  burden  of  determining  exactly 
what  to  add  and  remove  from  the  database  is  placed  on  the  user. 

Our  research  has  produced  a  formal  method  of  specifying  the  desired  change 
intensionally,  by  stating  a  well-formed  formula  that  the  state  of  the  world  is  now 
known  to  satisfy.  The  database  update  algorithms  we  provide  will  automatically 
accomplish  that  change.  Our  approach  embeds  the  incomplete  database  and  the 
incoming  information  in  the  language  of  mathematical  logic,  and  gives  formal 
definitions  of  the  semantics  of  our  update  operators,  along  with  proofs  of  correct¬ 
ness  for  their  associated  algorithms.  We  assess  the  computational  complexity  of 
the  algorithms,  and  propose  a  means  of  lazy  evaluation  to  avoid  undesirable  ex¬ 
pense  during  execution  of  updates.  We  also  examine  means  of  enforcing  integrity 
constraints  as  the  database  is  updated. 

This  thesis  also  examines  the  question  of  choices  of  semantics  for  update 
operators  for  databases  with  incomplete  information,  and  proposes  a  framework 
for  evaluation  of  competing  choices  of  semantics.  Several  choices  of  semantics  are 
evaluated  with  respect  to  that  framework. 

A  experimental  implementation  of  our  method  has  been  constructed,  and  we 
include  the  results  of  test  runs  on  a  range  of  patterns  of  queries  and  updates. 
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Chapter  1:  Introduction 


How  can  new  facts  be  added  to  a  body  of  knowledge  when  the  new 
facts  may  contradict  preexisting  information? 


In  the  course  of  investigating  this  question,  this  dissertation  gives  partial 
answers  to  nagging  questions  in  practical  database  work;  in  database  theory  and 
logical  databases;  and  in  artificial  intelligence,  particularly  belief  revision.  In 
this  introductory  chapter  we  motivate  the  research  from  the  perspectives  of  these 
three  groups  of  readers,  and  conclude  with  a  guide  to  the  remainder  of  the  thesis. 

The  majority  of  this  thesis  was  written  with  a  particular  audience  in  mind: 
those  who  are  comfortable  with  first-order  logic  and  have  a  passing  acquaintance 
with  database  updates.  Tactical  suggestions  are  offered  below  for  readers  with 
other  backgrounds  and  interests. 

From  a  traditional  database  perspective.  A  database  management  system 
faces  two  central  tasks:  evaluation  of  incoming  queries  and,  quite  separately, 
processing  of  incoming  updates. 

Much  attention  has  been  paid  to  the  problem  of  answering  queries  in  data¬ 
bases  containing  null  values,  or  attribute  values  that  are  known  to  lie  in  a  certain 
domain  but  whose  value  is  currently  unknown  (see  e.g.  [Codd  79,  Imielinski  84, 
Reiter  84,  Vassiliou  79,  Zaniolo  82]).  There  has  been  very  little  research  on  up¬ 
dating  such  databases,  although,  as  one  group  of  researchers  aptly  points  out 
[Abiteboul  85],  answering  queries  in  databases  containing  nulls  presupposes  the 
ability  to  enter  incomplete  information  into  the  database  and,  with  any  luck,  to 
remove  uncertainties  when  more  information  becomes  available.  Such  a  capability 
is  needed  not  only  in  the  case  where  the  user  directly  requests  the  incorporation 
of  uncertain  values  into  the  database,  but  also  when  updates  indirectly  spawn 
incomplete  information,  as  in  updating  through  views  [Bancilhon  81,  Dayal  82, 
Keller  82,  85]  and  in  natural  language  updates  [Davidson  81,  84]. 

As  an  example  of  the  difficulties  posed  by  even  simple  updates,  suppose 
that  we  have  the  following  two  relations,  containing  one  null  value. 

EMPLOYEE  DEPT  SALARY 
Reid  ?  30,000 

Nilsson  CSD  40,000 


1 


MANAGER  DEPT 
Nilsson  CSD 

Suppose  that  the  database  user  wishes  to  give  all  the  the  computer  scientists  a 
raise.  Here  is  an  expression  of  that  update  in  a  generic  database  manipulation 
language: 

RANGE  OF  t  IS  EmpDeptSal 

MODIFY  t. SALARY  TO  BE  t.SALARY*l.l 
WHERE  t.DEPT  *  ComputerScience 

What  happens  to  Reid’s  salary?  How  can  we  express  the  fact  that  Reid’s  salary 
depends  on  an  unknown  value  in  another  field  of  the  tuple,  and  how  can  that 
relationship  be  determined  automatically? 

Matters  get  more  complicated  if  instead  the  user  wishes  to  give  Reid’s 
boss  a  raise: 

RANGE  OF  t  IS  EmpDeptSal 
RANGE  OF  t2  IS  EmpDeptSal 
RANGE  OF  s  IS  ManDept 

MODIFY  t. SALARY  TO  BE  t. SALARY* 1.1 
WHERE  t2.EMP  *  Reid  AND  t2.DEPT  »  s.DEPT 
AND  s. MANAGER  *  t.EMP 

What  happens  to  Nilsson’s  salary?  How  can  we  express  the  fact  that  his  salary 
depends  upon  an  unknown  value  in  a  different  relation,  and  how  can  that  fact  be 
derived  automatically? 

Unfortunately,  although  it  is  syntactically  simple  to  allow  null  values  in 
relational  tables  and  update  requests,  any  reasonable  semantics  for  these  updates 
will  lead  to  result  relations  that  cannot  be  stored  as  simple  tables.  Even  with 
tight  restrictions  on  the  appearance  of  nulls,  one  quickly  leaves  the  realm  of  the 
relational  model,  as  in  the  example  above.  Our  advice  to  a  database  management 
system  designer  operating  under  tight  bounds  of  performance:  don’t  try  to  treat 
a  null  value  as  anything  more  than  an  element  in  an  ordinary  domain  with  a  few 
extra  primitive  operations,  such  as  ISNULLO;  otherwise  naive  users  will  drive 
processing  costs  up  with  their  ill-advised  updates,  and  will  lay  the  blame  on  the 
wrong  party. 

For  readers  oriented  toward  practical  database  technology,  the  recom¬ 
mended  route  through  this  thesis  is  a  quick  trip  through  Chapter  3  followed 
by  a  tour  of  Chapter  9,  the  discussion  of  implementation. 
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From  a  logical  databases  perspective.  Matters  axe  less  bleak  if  one  is 
willing  to  cast  aside  the  traditional  relational  restriction  of  databases  to  tables 
and  instead  view  databases  as  simple,  restricted  theories  in  first-order  logic  with 
equality.  This  is  the  viewpoint  adopted  in  this  thesis,  and  readers  who  share  this 
perspective  should  find  themselves  at  home. 

We  use  an  extension  of  the  logic  framework  set  forth  by  Reiter  [84,  84b] 
for  the  null  value  and  disjunctive  information  problems.  (Disjunctive  information 
occurs  when  one  knows  that  one  or  more  of  a  set  of  tuples  holds  true,  without 
knowing  which  one.)  Given  a  relational  database,  Reiter  shows  how  to  construct 
a  relational  theory  whose  model  corresponds  to  the  world  represented  by  the 
database,  and  extends  this  framework  to  allow  disjunctive  information  and  null 
values  to  appear  in  the  relational  theory.  The  use  of  an  extension  of  Reiter’s 
logic  framework  has  four  advantages:  it  allows  a  clean  formalization  of  incom¬ 
plete  information;  it  allows  a  definition  of  the  meanings  of  query  and  update 
operators  without  recourse  to  intuition  or  common  knowledge;  and  it  frees  us 
from  implicit  or  explicit  consideration  of  implementation  issues,  by  not  forcing 
incomplete  information  into  a  tabular  format.  Through  framing  the  update  ques¬ 
tion  in  this  paradigm,  we  will  also  gain  insights  into  the  more  general  problem 
of  updating  general  logical  theories,  and  lay  groundwork  for  use  in  applications 
beyond  ordinary  databases,  such  as  AI  applications  using  a  knowledge  base  built 
on  top  of  base  facts.  We  will  show  that  in  the  logic  paradigm  it  is  natural  to 
extend  the  concept  of  database  updates  to  encompass  databases  with  incomplete 
information. 

From  an  artificial  intelligence  perspective.  Suppose  one  wishes  to  con¬ 
struct,  use,  and  maintain  a  knowledge  base  (KB)  of  beliefs  about  the  real  world, 
even  though  the  facts  about  that  world  are  only  partially  known.  In  the  artificial 
intelligence  (AI)  domain,  this  problem  arises  when  an  agent  has  a  base  set  of 
beliefs  that  reflect  partial  knowledge  about  the  world,  and  then  tries  to  incor¬ 
porate  new,  possibly  contradictory  knowledge  into  this  set  of  beliefs.  We  choose 
to  represent  such  a  KB  as  a  logical  theory,  and  view  the  models  of  the  theory 
as  representing  possible  states  of  the  world  that  are  consistent  with  the  agent’s 
beliefs. 

How  can  new  information  be  incorporated  into  the  KB?  For  example,  given 
the  new  information  that  “b  or  c  is  true,”  how  can  one  get  rid  of  all  outdated 
information  about  b  and  c,  add  the  new  information,  and  yet  in  the  process  not 
disturb  any  other  information  in  the  KB?  The  burden  may  be  placed  on  the 
user  or  other  omniscient  authority  to  determine  exactly  what  to  add  and  remove 
from  the  KB.  But  what’s  really  needed  is  a  way  to  specify  the  desired  change 
intensionally,  by  stating  some  well-formed  formula  that  the  state  of  the  world  is 
now  known  to  satisfy  and  letting  the  KB  algorithms  automatically  accomplish 
that  change.  We  investigate  this  problem  for  the  simplest  type  of  belief  revision, 
that  of  bodies  of  ground  beliefs  with  particularly  simple  axioms.  In  contrast, 
most  work  on  belief  revision  by  AI  researchers  focuses  on  the  mechanisms  for 
handling  inference  through  axioms  correctly  (see  e.g.  [Doyle  79,  McCarthy  80]). 
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The  results  of  most  interest  to  AI  readers  are  collected  in  Winslett  [86c]. 
In  particular,  the  effect  of  removing  the  closed- world  assumption  [Lifschitz  85, 
Reiter  80]  used  in  this  dissertation  is  investigated  there.  Syntax,  semantics, 
algorithms,  and  proofs  of  correctness  are  all  presented  for  an  open— world  scenario. 
In  addition,  the  long  version  of  Winslett  [86c]  includes  a  more  complete  discussion 
of  the  enforcement  of  dependency  axioms  than  is  presented  here.  The  Al-oriented 
reader  will  find  Winslett  [86c]  to  be  the  best  introduction  to  this  work,  and  then 
cam  browse  through  the  offerings  of  these  chapters  at  will. 

Outline  of  the  remaining  chapters.  Chapter  2  surveys  work  done  by  others 
that  is  related  to  the  problem  of  updating  databases  with  incomplete  information. 

The  central  ideas  of  this  dissertation  all  appear  in  Chapter  3,  which 
presents  a  logical  language  for  the  update  problem,  syntax  and  semantics  for  up¬ 
dates,  and  an  algorithm  for  implementing  the  simplest  types  of  updates.  Chapter 
4  extends  these  results  to  updates  containing  variables  and  quantifiers,  and  also 
gives  an  update  algorithm  for  the  case  where  the  database,  exclusive  of  higher- 
level  rules  and  axioms,  is  any  finite  first-order  theory  containing  quantifiers. 
Proofs  of  correctness  for  the  update  algorithms  appear  in  Chapter  4,  along  with 
a  discussion  of  computational  complexity. 

When  null  values  appear  in  the  database,  updates  can  cause  unacceptably 
large  growth  in  the  database  when  many  data  tuples  “unify”  with  one  smother. 
Chapter  5  presents  a  lazy  evaluation  scheme  coupled  with  simple  user-supplied 
cost  limits,  used  to  avoid  undesirable  expense  during  execution  of  updates  against 
databases  that  suffer  from  this  unification  problem.  The  goal  of  lazy  evaluation 
is  to  delay  execution  of  too-expensive  updates  as  long  as  possible  in  the  hopes 
that  more  information  about  the  null  values  causing  the  expense  will  arrive  in  the 
interim.  The  techniques  proposed  have  a  strong  flavor  of  database  concurrency 
control. 

There  are  many  possible  interpretations  of  the  semantics  of  updates  when 
additional  general  rules  regarding  the  permissible  states  of  and  transformations 
on  the  database  are  considered  along  with  the  collection  of  base  data.  The  “cor¬ 
rect”  interpretation  of  an  update  when  such  axioms  axe  present  depends  on  the 
intended  semantics  of  the  axiom.  The  study  of  artificial  intelligence  abounds 
with  these  phenomena;  a  simple  example  from  the  database  arena  is  the  choice 
of  action  when  an  integrity  constraint  would  be  violated  by  a  requested  update. 
Typically,  a  database  management  system  either  rejects  the  update  or  else  makes 
additional  changes  in  the  database  so  that  the  constraint  is  still  satisfied.  Incom¬ 
plete  information  complicates  matters  by  providing  additional  reasonable  roles 
for  axioms  that  are  not  present  in  the  complete-information  case.  These  alterna¬ 
tives  are  studied  in  Chapter  6.  After  a  discussion  of  these  enforcement  options, 
Chapter  6  shows  how  to  provide  what  we  call  strict  enforcement,  for  the  class  of 
universally  quantified  dependency  axioms.  Simple  dependency  axioms,  such  as 
type  axioms,  functional  dependencies,  and  multi-valued  dependencies,  are  easily 
strictly  enforced. 

Chapters  3  and  4  establish  that  it  is  computationally  feasible  to  implement 


4 


updates  when  incomplete  information  is  present,  by  presenting  polynomial-time 
algorithms  for  a  particular  choice  of  update  semantics,  called  the  standard  se¬ 
mantics.  The  standard  semantics  is  by  no  means  the  only  possible  choice  of 
semantics,  however.  Chapter  7  is  devoted  to  a  discussion  of  the  properties  of  a 
number  of  candidate  semantics  for  updates.  A  broad  spectrum  of  possible  seman¬ 
tics  is  identified  there,  and  criteria  of  expressiveness,  suitability  for  the  applica¬ 
tion,  comprehensibility,  and  computational  feasibility  are  proposed  for  evaluating 
potential  choices  of  semantics.  Several  points  along  that  spectrum,  including  the 
standard  semantics,  are  examined  thoroughly  with  respect  to  those  criteria.  In 
addition,  update  algorithms  are  presented  for  two  semantics  other  than  the  stan¬ 
dard  semantics,  to  show  how  our  algorithmic  approach  can  be  extended  to  other 
choices  of  semantics. 

Chapter  8  presents  a  series  of  results  on  update  equivalence.  Two  updates 
U\  and  U2  are  equivalent  if  for  any  database,  U 1  applied  to  that  database  produces 
the  same  result  as  does  U2  applied  to  that  database.  Update  equivalence  theorems 
are  useful  for  clarifying  the  properties  of  candidates  for  update  semantics.  They 
provide  one  measure  of  comprehensibility  for  a  particular  choice  of  semantics: 
under  that  semantics,  do  two  updates  that  look  similar  have  the  same  effect  on 
every  database?  Do  updates  that  intuitively  seem  different  produce  different 
effects?  Update  equivalence  theorems  are  given  for  the  standard  semantics  and 
for  the  other  semantics  studied  in  Chapter  7.  In  addition,  we  provide  several 
results  on  update  equivalence  that  apply  to  a  broad  class  of  choices  of  semantics. 

There  is  much  to  be  learned  in  the  reduction  of  a  theory  to  practice. 
Clearly  queries  and  updates  will  be  more  expensive  in  databases  with  incomplete 
information;  how  high  might  that  extra  cost  be  in  a  typical  database  scenario? 
Chapter  9  describes  an  implementation  of  the  Update  Algorithm  of  Chapter 
4,  and  gives  experimental  results.  The  discussion  focuses  on  the  size  of  the 
stored  database  after  a  long  series  of  updates  that  insert,  reference,  and  remove 
incomplete  information,  and  on  the  number  of  disk  accesses  required  to  answer 
a  set  of  queries  after  that  series  of  updates. 

Conclusions  are  presented  in  Chapter  10,  along  with  topics  for  future  work. 
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Chapter  2:  Related  Work 


When  this  research  effort  began,  essentially  no  work  had  been  done  on  the 
problem  of  updating  (as  opposed  to  querying)  databases  that  contain  incomplete 
information.  The  notable  exception  is  the  work  of  Fagin  et  al  [83,  86].  Our 
work  has  a  different  motivation  from  that  of  Fagin  et  al,  who  were  primarily 
concerned  with  applications  such  as  updates  through  views  and  updates  through 
integrity  constraints.  In  such  applications,  one  can  attach  importance  to  the 
particular  formulas  currently  in-  the  theory,  such  as  view  definitions  or  integrity 
constraints;  and  in  fact  Fagin  et  al  take  the  formula  as  the  primary  unit  of  interest 
during  update,  producing  a  more  syntactically  oriented  approach  than  our  own. 
In  contrast,  our  semantics  is  not  concerned  with  the  particular  formulas  in  the 
theory  being  updated,  but  rather  with  the  individual  models  of  that  theory.  We 
define  the  semantics  of  an  update  by  telling  what  effect  the  update  should  have  on 
each  model  of  the  theory,  independent  of  sill  other  models.  Unlike  that  of  Fagin 
et  al,  the  effect  of  an  update  in  our  paradigm  is  independent  of  the  choice  of 
formulas  (other  than  schema  and  integrity  constraints)  used  to  represent  that  set 
of  models.  For  example,  let  be  a  database  containing  the  formula  Emp(Reid, 
CSD)  A  Emp(Nilsson,  CSD),  and  let  72  be  a  database  containing  the  two  formulas 
Emp(Reid,  CSD)  and  Emp(Nilsson,  CSD).  Then  an  update  U  might  give  different 
results  when  applied  to  T\  and  72  under  the  approach  of  Fagin  et  al.  With  our 
model-theoretic  approach,  however,  U  will  give  the  same  results  when  applied  to 
the  two  databases. 

One  benefit  of  our  approach  is  the  feasibility  of  an  efficient  algorithm  for 
update  computation;  this  is  not  possible  in  the  framework  of  Fagin  et  al.  For 
example,  Fagin  et  al  define  the  deletion  of  a  formula  a  from  a  first-order  theory  T 
as,  roughly  speaking,  the  set  of  all  maximal  subtheories  of  T  that  do  not  logically 
entail  a.  One  cannot  expect  a  polynomial-time  procedure  for  testing  whether  a 
follows  from  a  first— order  theory.  In  contrast,  our  update  algorithms  require  time 
linear  in  the  size  of  the  theory  being  updated. 

As  do  Fagin  et  al,  we  identify  multiple  levels  of  formulas  in  a  theory — 
axioms  and  non-axioms,  in  our  case.  However,  we  divide  our  axioms  into  different 
classes  based  on  their  intended  semantics,  and  provide  different  sorts  of  algorith¬ 
mic  manipulations  for  the  different  classes  under  update.  Fagin  et  al  allow  for 
an  arbitrary  number  of  levels  of  formulas,  but  do  not  note  a  need  for  different 
semantics  at  different  levels  or  for  certain  formulas. 

Our  debt  to  Reiter  [84,  84b]  for  his  logical  formulation  of  closed-world 
databases  has  already  been  mentioned.  Reiter  describes  an  encoding  of  databases 
containing  disjunctive  information  and  null  values  as  first-order  theories  with 
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equality.  His  focus  in  this  work  is  on  algorithms  for  query  evaluation  over  such 
databases. 

Very  recently,  DeKleer  [85]  and  Reiter  [85]  have  investigated  the  problem 
of  circuit  diagnosis,  formulated  as  the  problem  of  updating  a  set  of  propositional 
formulas.  They  both  take  a  logic  theory  describing  the  correct  behavior  of  a  cir¬ 
cuit,  and  consider  the  problem  of  making  minimal  changes  in  that  theory  in  order 
to  make  it  consistent  with  a  formula  describing  the  circuit’s  observed  behavior. 
This  is  closely  allied  to  the  problem  we  investigate  (though  circuit  diagnosis  does 
not  require  the  use  of  selection  clauses  in  update  requests).  However,  the  changes 
needed  in  the  theory  of  the  circuit  are  themselves  the  diagnosis  of  the  circuit, 
and  must  be  output  to  the  user.  As  it  is  an  MV— hard  problem  just  to  determine 
whether  any  changes  are  needed  at  all  in  the  circuit  description  (i.e.,  to  do  satis¬ 
fiability  testing  and  determine  whether  the  circuit  is  functioning  correctly),  one 
cannot  expect  to  find  a  polynomial-time  algorithm  for  diagnosis.  In  contrast,  we 
were  particularly  interested  in  producing  polynomial-time  algorithms  to  perform 
updates.  The  algorithms  we  present  in  Chapter  3  and  subsequent  chapters  could 
be  used  for  the  circuit  diagnosis  problem  only  when  the  new  “diagnosed”  theory 
is  of  interest,  rather  than  the  exact  changes  made  to  the  old  theory. 

In  other  recent  work,  Weber  [86]  takes  a  similar  position  on  update  seman¬ 
tics  to  that  of  DeKleer  and  Reiter,  and  provides  an  algorithm  for  implementing 
his  update  semantics  for  propositional  theories.  Extending  his  algorithm  to  first- 
order  theories  containing  Skolem  constants — that  is,  databases  with  null  values — 
is  not  straightforward,  however.  Again,  Weber  does  not  consider  updates  with 
selection  clauses  or  offer  a  polynomial-time  algorithm  for  implementation. 

Abiteboul  and  Grahne  [Abiteboul  85]  investigate  the  problem  of  updates 
on  several  varieties  of  tables,  or  relations  containing  null  values  and  history  con¬ 
straints  other  than  integrity  constraints.  They  propose  a  semantics  similar  to  our 
own  for  simple  updates,  and  investigate  the  relationship  between  table  type  and 
ability  to  represent  the  result  of  an  update  correctly  and  completely.  They  do 
not  consider  updates  with  joins  or  disjunctions  in  selection  clauses,  comparisons 
between  attribute  values,  or  selection  clauses  referencing  tuples  other  than  the 
tuple  being  updated.  Their  conclusion  was  that  only  the  most  powerful  and  com¬ 
plex  version  of  tables  was  able  to  fully  support  their  update  operators.  Abiteboul 
and  Grahne  do  not  frame  their  investigation  in  the  paradigm  of  mathematical 
logic,  making  their  work  less  applicable  to  AI  needs,  one  important  application 
for  this  work. 

In  the  AI  realm,  Levesque  [84]  considered  the  problem  of  updating  knowl¬ 
edge  bases  with  his  TELL  operation;  however,  TELL  could  only  eliminate  models 
from  the  set  of  models  for  the  knowledge  base,  not  change  the  internal  contents 
of  those  models.  In  other  words,  one  could  only  TELL  the  knowledge  base  new 
information  that  was  consistent  with  what  was  already  known.  This  is  an  impor¬ 
tant  and  vital  function,  but  an  agent  also  needs  to  be  able  to  make  changes  in 
the  belief  set  that  contradict  current  beliefs  [Harman  86].  For  example,  the  agent 
should  be  able  to  change  the  belief  that  block  A  is  on  block  B  if,  for  example, 
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the  agent  observes  an  arm  removing  A  from  B. 

Work  on  belief  revision  as  pursued  by  researchers  in  artificial  intelligence 
(see  e.g.  [Doyle  79,  McCarthy  80])  typically  focuses  on  the  problem  of  how  to 
obtain  correct  inferences  from  a  set  of  axioms  and  base  beliefs  as  the  set  of  base 
beliefs  itself  undergoes  revision.  This  approach  assumes  that  a  means  is  available 
of  updating  the  base  set  of  beliefs,  and  concentrates  on  the  extremely  difficult 
problem  of  revising  derived  beliefs  correctly.  However,  we  will  show  that  when 
the  base  set  of  beliefs  contains  incomplete  information,  it  may  be  quite  difficult 
to  see  how  to  reflect  new  information  in  those  beliefs.  With  the  exception  of 
Chapter  6,  which  gives  a  simple  treatment  of  certain  types  of  derived  beliefs,  this 
thesis  is  concerned  solely  with  the  problems  of  revising  the  base  set  of  beliefs. 

In  the  same  vein,  the  interpretation  of  counterfactuals  [Lewis  73,  Gins¬ 
berg  85]  faces  very  similar  problems  to  those  we  address  in  the  minimal-change 
semantics  (Chapter  7):  identification  of  potential  states  that  satisfy  a  certain 
formula  and  differ  as  little  as  possible  from  a  starting  state. 

This  work  provides  a  theoretical  underpinning  for  the  view  update  problem 
in  database  theory  [Bancilhon  81,  Dayal  82,  Keller  82,  85].  As  many  researchers 
have  noted,  updates  through  views  such  as  projections  can  produce  incomplete 
information  in  the  relations  underlying  the  view.  Given  a  view  update  policy,  i.e., 
a  method  of  translating  updates  expressed  against  views  into  updates  on  base 
relations,  our  approach  can  be  used  to  implement  those  updates. 
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Chapter  3:  Syntax,  Semantics,  and  an  Update  Algorithm 


Incomplete  information  occurs  when,  due  to  insufficient  knowledge  about 
the  state  of  the  world,  there  is  more  than  one  candidate  database  to  represent 
the  current  state  of  the  world.  In  the  database  world,  one  can  imagine  the 
user  keeping  a  set  of  relational  databases  (even  an  infinite  set,  if  one  imagines 
vigorously),  knowing  that  one  of  these  databases  corresponds  to  the  actual  state 
of  the  world,  but  needing  more  information  to  know  which  database  is  the  correct 
one.*  If  the  user  wants  to  apply  an  ordinary  relational  update  to  this  set  of 
candidate  databases,  then  the  natural  definition  of  the  semantics  of  the  update 
is  to  apply  the  update  to  each  candidate  database  individually. 

Though  this  imaginary  scenario  paints  a  clear  picture  of  the  semantics 
of  ordinary  updates  when  incomplete  information  is  present,  it  is  unsuitable  for 
direct  implementation  due  to  the  prohibitive  expense  of  storing  multiple  data¬ 
bases.  A  more  compact  representation  of  the  candidate  databases  is  required  for 
the  sake  of  efficiency.  Our  solution  is  the  extended  relational  theory,  a  formal¬ 
ization  of  the  multiple-database  scenario  and  an  extension  of  Reiter’s  relational 
theories  [Reiter  84,  84b] .  Extended  relational  theories  are  sufficiently  powerful  to 
represent  in  one  theory  any  realistic^  set  of  relational  databases  all  having  the 
same  schema  and  integrity  constraints.  Section  3.1  gives  a  formed  description  of 
the  language  and  structure  of  extended  relational  theories. 

Ordinary  relational  updates  are  not  sufficiently  powerful  to  express  all 
desirable  transformations  on  a  set  of  candidate  databases.  For  example,  with 
ordinary  updates  there  is  no  way  to  add  new  candidate  databases  to  the  set,  or 
eliminate  old  candidates  that  are  now  known  to  be  incorrect.  Section  3.2  proposes 
a  syntax  and  semantics  suitable  for  updates  to  extended  relational  theories. 

Though  extended  relational  theories  solve  the  compact  representation 
problem,  they  raise  another  question:  how  can  the  effect  of  an  update  on  a 
set  of  candidate  databases  be  translated  into  an  algorithm  that  operates  directly 
on  an  extended  relational  theory?  Section  3.3  presents  the  Update  Algorithm  for 
applying  updates  to  extended  relational  theories,  and  Section  3.4  discusses  the 
computational  complexity  of  the  Update  Algorithm. 

t  Heuristic  guidelines  may  be  available  that  give  likelihood  estimates  for  the  different 
possible  states  of  the  world  [Michalski  86,  Nilsson  86,  Zadeh  79],  How  to  incorporate  these  into 
an  update  algorithm  is  an  interesting  open  question. 

tt  Not  every  set  of  relational  databases  can  be  represented  as  the  models  of  a  first-order 
theory.  However,  it  is  highly  unlikely  that  any  application  of  this  work  will  ever  run  up  against 
that  particular  limitation  of  logic. 
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3.1.  Extended  Relational  Theories 

We  now  give  a  formal  presentation  of  extended  relational  theories,  a  method  of 
representing  multiple  candidate  databases  in  a  single  logic  theory. 

3.1.1.  The  Language 

The  language  C  for  the  theories  contains  the  following  symbols: 

1.  An  infinite  set  of  variables,  for  use  in  axioms. 

2.  An  infinite  set  of  constants.  These  represent  the  elements  in  the  domains  of 
database  attributes,  plus  additional  constants  for  technical  reasons. 

3.  A  finite  set  of  data  predicates  of  arity  1  or  more,  representing  the  attributes 
and  relations  of  the  database. 

4.  Punctuation  symbols  and 

5.  Logical  connectives,  quantifiers,  truth  values,  and  the  equality  predicate:  A, 
V,  -.,  -+,  <-+,  V,  3,  T,  F,  and  =  . 

6.  For  each  database  predicate  R  (item  3  above),  one  history  predicate  Hr 
of  arity  one  greater  them  R.  Also,  a  unary  history  predicate  H.  The  history 
predicates  axe  present  for  technical  reasons. 

7.  An  infinite  set  of  Skolem  constants  e,  €j,  €2,  €3, _ Skolem  constants  axe  the 

logical  formulation  of  null  values;  they  represent  existentially  quantified  variables. 
For  example,  if  a  logical  theory  consists  of  the  two  wffs  f?(e,  ci)  and  R(c2,e)  V 
R(e 2,63),  then  this  theory  has  the  same  models  as  the  wff  3xi3x23x3(R(xi  ,  cj )  A 
(J2(c2,ii)  V  R(i2,x 3)))  (see  e.g.  [Enderton  72]).  0 

Note  that  this  language  does  not  have  any  means  of  representing  the  null 
value  commonly  called  “inapplicable.”  Inapplicable  nulls  do  not  fit  into  a  logic 
framework,  as  they  indicate  a  mismatch  between  the  possible  models  of  theories 
over  a  language  and  the  real  world  that  the  models  are  intended  to  represent. 
Vassiliou  [79]  offers  a  lattice-theoretic  treatment  of  inapplicable  nulls;  Zaniolo 
[82]  offers  another  approach.  Or,  one  can  revamp  the  predicates  of  the  lan- 
guage/database  to  prevent  the  occurrence  of  “inapplicable”  nulls,  for  example 
along  the  fines  of  the  structural  model  [Wiederhold  83],  Or,  for  the  reader  in¬ 
terested  in  working  out  the  details  of  such  a  scheme,  conventional  wisdom  has 
it  that  inapplicable  nulls  axe  computationally  quite  tractable  to  handle  in  tradi¬ 
tional  database  queries  and  updates;  it  is  said  that  one  does  not  need  to  resort 
to  logic  or  another  sophisticated  framework  in  order  to  describe  the  effect  of  a 
series  of  updates  on  a  database  containing  inapplicable  nulls. 

We  now  present  some  terminology  used  in  the  remainder  of  this  work. 

Atomic  formulas  are  well-formed  formulas  (wffs)  without  logical  connec¬ 
tives.  We  consider  Skolem  constants  to  be  functions;  hence  Skolem  constants 
may  occur  in  atomic  formulas.  For  the  purposes  of  this  chapter,  atoms  are  atomic 
formulas  without  variables  as  arguments.  Atoms  without  Skolem  constants  axe 
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called  null- free.  D atoms  (pronounced  “datums”)  axe  atoms  over  data  predi¬ 
cates.  For  example,  R(e )  and  R(c)  are  datoms;  R(x),  Hr(c),  and  e=c  are  not 
datoms.  The  name  “datom”  is  intended  to  invoke  the  image  of  a  datum,  i.e.,  a 
bit  of  data,  and  indeed,  datoms  will  be  the  building  blocks  of  our  incomplete- 
information  databases;  and  also  to  invoke  thoughts  of  atoms,  i.e.,  the  atomic 
formulas  of  first-order  logic,  and  indeed,  datoms  have  a  logical  nature  as  well. 

Definitions,  o  is  a  substitution  if  o  defines  a  syntactic  replacement  of 
distinct  Skolem  constants  and/or  variables  by  constants  and  Skolem  constants. 
In  traditional  form  a  substitution  o  applied  to  a  wff  a  is  written,  for  example, 
as  or  more  concisely  as  (a)ff.  The  wff  form  of  o  is  the  wff  ei=ciA  •  •  • 

A  en=c„.  The  wff  form  of  the  identity  substitution  (i.e.,  where  no  substitutions 
are  specified)  is  the  truth  value  T.  If  c\  through  cn  are  all  constants,  then  a  is  a 
constant  substitution.  All  substitutions  are  assumed  to  be  nonredundant,  i.e.,  if 
e<  is  replaced  by  Cj,  then  c*  is  not  later  itself  replaced  in  c.  0 

In  the  discussions  that  follow,  a  will  be  assumed  to  be  in  wff  form  whenever 
that  follows  logically  from  the  context;  for  example,  assume  a  is  in  wff  form  when 
it  is  a  subformula  of  aA a. 

On  occasion  we  will  speak  of  a  more  exotic  type  of  syntactic  replacement, 
that  of  one  datom  for  another.  For  example,  (a)j/R(c  ^  calls  for  the  replacement 
of  all  occurrences  of  R(c)  in  a  by  the  history  atom  Hr(c,  d ).  A  datom  substitution 
has  no  wff  form.  Datom  substitutions  will  be  so  designated  explicitly  in  the  text. 

3.1.2.  Extended  Relational  Theories 

Extended  relational  theories,  an  extension  of  Reiter’s  relational  theories  [Reiter 
84],  encode  the  semantics  of  databases  with  incomplete  information.  A  theory  T 
over  £  is  an  extended  relational  theory  if  T  has  exactly  the  following  wffs: 

1.  Body:  The  body  of  T  may  be  any  finite  set  of  wffs  of  £  without  variables. 

For  example,  the  body  might  be  the  wff  ->(fZ(c)AR(ei )). 

In  ordinary  relational  databases,  the  convention  is  that  all  atoms  not  ex¬ 
plicitly  mentioned  in  the  database  are  false;  that  is,  the  database  contains  only 
those  atoms  that  are  known  to  be  true  [Clark  78,  Lifschitz  85,  Reiter  80].  An 
analogue  of  this  closed-world  assumption  is  needed  for  extended  relational  theo¬ 
ries,  as  otherwise  T  might  have  models  in  which,  for  example,  an  infinite  number 
of  datoms  were  true.  An  appropriate  closed-world  assumption  is  that  T  must 
include  axioms  stating  that  the  only  datoms  that  may  be  true  in  a  model  of  T 
axe  those  that  unify*  with  subformulas  of  T.  This  means  that  a  datom  not  uni¬ 
fying  with  any  datom  of  T  should  be  false  in  all  models  of  T.  The  closed-world 
assumption  is  codified  in  the  completion  axiom  section  of  T. 

t  In  this  formulation,  two  atoms  f  and  g  unify  if  there  exists  a  substitution  <r  for  the 
Skolem  constants  and  variables  of  f  and  g  under  which  f  and  g  are  syntactically  identical.  If 
atoms  /  and  g  unify  with  one  another  under  substitutions  <r\  and  <*2,  then  <T\  is  more  genera/ 
than  <72  if  there  exists  a  substitution  <73  such  that  ((/)»,  )<rs  is  (f)<rt  ■ 
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2*  Completion  Axioms:  T  contains  one  completion  axiom  for  each  n-ary  data 
predicate  R  of  7\  If  no  atom  over  R  is  a  subformula  of  the  body  of  T,  then 
T  contains  the  completion  axiom  Vxi  •  •  •  Vxn-«i?(x i , . . . ,  xn).  Otherwise,  T 
contains  the  axiom 

V*1  .  ..Vxn(.R(xi,...,xn)  \J  a ), 

<r£S 

where  S  is  the  set  of  all  most  general  substitutions  a  such  that  some  atom 
in  the  body  of  X  unifies  with  R(x\ , . . . ,  xn)  under  <7.  <C> 

Note  that  the  completion  axioms  of  X  may  be  derived  mechanically  from 
the  rest  of  X .  For  example,  Vx(f2(x)  — >  (x=c  V  x=ex ))  is  a  completion  axiom  for 
the  example  body  given  earlier.  We  say  that  R(c\, . . .  ,c„)  is  represented  in  the 
axiom  if  (xi  =  cj)  A  . . .  A  (xn  =  cn)  is  a  disjunct  of  the  completion  axiom. 

A  model  Ad  of  X  is  a  standard  model  if  in  addition  to  all  the  formulas  in 
X,  M  satisfies  the  unique  name  axioms  Ci  ^  C2  for  each  pair  of  distinct  constants 
Ci,C2  in  £.  In  this  work,  all  models  under  discussion  are  assumed  to  be  standard 
models;  so,  for  example,  a  wff  a  is  satisfiable  iff  it  is  satisfied  by  some  standard 
model. 

Each  standard  model  includes  a  mapping  from  the  constants  and  Skolem 
constants  of  £  to  elements  in  the  universe  of  Ad .  The  effect  of  this  mapping  on 
Skolem  constants  will  often  be  of  particular  interest,  and  to  allow  easy  reference 
to  this  information,  we  will  now  define  a  set  of  special  wffs  associated  with  At,  its 
Skolem  constant  substitutions.  Let  £'  be  an  extension  of  £,  created  as  follows: 
for  each  Skolem  constant  e  of  £  that  maps  to  am  element  c  in  Ad  that  is  not 
named  by  amy  constant  of  £,  add  am  additional  constamt  to  C  amd  map  it  to  c  in 
M.  Then  the  Skolem  constamt  substitution  a  of  Ad  with  respect  to  a  finite  set  of 
wffs  5  is  a  substitution  of  constants  of  £'  for  all  the  Skolem  constants  of  5,  such 
that  the  wff  o  is  true  in  Ad.  Note  that  if  Ad  is  a  model  of  X,  then  Ad  is  also  a 
model  of  (T)a. 

In  an  implementation  of  extended  relational  theories,  one  would  not  actu¬ 
ally  store  the  unique  name  or  completion  axioms.  Rather,  the  aixioms  formalize 
our  intuitions  about  the  behavior  of  a  query  and  update  processor  operating  on 
the  body  of  the  extended  relational  theory.  For  example,  PROLOG  is  a  query  pro¬ 
cessor  that  shares  our  unique  name  axioms,  but  has  an  entirely  different  closed- 
world  assumption. 

Another  possible  type  of  completion  axiom,  the  domain  completion  axiom 
[Reiter  84],  has  not  been  included  in  the  definition  of  extended  relational  theories. 
The  domain  completion  axiom  takes  the  form  Vx((x  =  c i)  V  •  •  •  V  (x  =  c„)), 
implying  that  there  are  a  finite  number  of  elements  in  the  universe,  and  they  are 
all  known  and  named  by  constants  or  Skolem  constants  in  £.  This  completion 
axiom  can  be  maintained  during  updates  by  using  the  same  techniques  as  for  the 
other  completion  axioms.  The  universe  completion  axiom  will  be  discussed  in 
more  detail  in  Chapter  6. 
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Recall  that  some  predicates  are  present  in  £  merely  for  technical  reasons: 
the  history  predicates.  Therefore  the  models  of  T  give  truth  valuations  for  all 
history  predicate  atoms,  even  though  history  predicates  are  not  of  interest  to 
users.  For  that  reason  we  define  the  alternative  worlds  of  T,  written  Worlds(T), 
as  the  objects  produced  by  reducing  Models(T)  (i.e.,  the  models  of  T)  to  data 
predicates.  A  model  M.  represents  an  alternative  world  A  if  removing  the  truth 
valuation  information  in  M.  for  history  predicates  produces  A.  World(Ad)  is  the 
alternative  world  represented  by  M\  Worlds(S),  for  S  a  set  of  models,  is  (J.M6S 
World(M). 

Intuitively,  an  alternative  world  is  a  snapshot  of  the  tuples  of  a  complete- 
information  relational  database.  The  alternative  worlds  of  an  extended  relational 
theory  look  like  a  set  of  ordinary  relational  databases  all  having  the  same  schema 
and  axioms. 

With  the  inclusion  of  history  predicates  in  £,  we  depart  from  Reiter’s 
paradigm.  Because  these  predicates  are  “invisible”  in  alternative  worlds,  there 
may  not  be  a  one-to-one  correspondence  between  the  models  of  a  relational 
theory  and  its  alternative  worlds,  as  two  models  may  give  the  same  truth  val¬ 
uations  to  all  null— free  datoms  but  differ  on  some  null-free  history  atoms,  and 
still  represent  the  same  alternative  world.  Alternative  worlds  contain  just  the 
information  that  would  be  of  interest  to  a  database  user,  while  models  may  be 
cluttered  with  history  atoms  of  no  external  interest.  The  history  predicates  do 
not  actually  extend  the  expressive  power  of  £;  the  proof  of  Theorem  7-1  will  show 
that,  with  a  few  minor  restrictions,  given  any  extended  relational  theory  T  there 
exists  an  extended  relational  theory  T'  not  containing  history  predicates,  such 
that  Worlds(T)  =  Worlds(T'). 

3.2.  A  Language  for  Updates 

As  mentioned  in  the  introduction  to  this  chapter,  traditional  relational  update 
languages  are  not  sufficiently  powerful  for  use  when  incomplete  information  is 
present.  The  traditional  languages  also  lack  sufficiently  formal  semantics  for  a 
rigorous  examination  of  the  properties  of  these  languages.  This  section  presents 
a  data  manipulation  language  that  remedies  these  two  deficiencies.  Appropri¬ 
ate  subsets  of  traditional  update  languages,  such  as  those  of  SQL  and  INGRES 
without  aggregation,  may  be  embedded  in  this  language.  In  this  chapter,  only 
updates  without  variables  will  be  considered;  Chapter  4  extends  this  approach 
to  updates  with  variables. 

3.2.1.  Update  Syntax 

Let  4>  and  u>  be  formulas  over  £  without  history  predicates  or  variables.  Then  an 
update  takes  the  form  INSERT  lj  WHERE  <f>. 

The  reader  may  wonder  what  has  happened  to  the  traditional  relational 
data  manipulation  operations  of  MODIFY  and  DELETE.  Under  the  semantics  pre¬ 
sented  below,  any  DELETE  or  MODIFY  request  can  be  phrased  as  an  INSERT  re¬ 
quest,  using  negation.  To  simplify  the  presentation,  DELETE  and  MODIFY  are 
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omitted  right  from  the  start;  details  of  the  mapping  will  be  presented  at  the  end 
of  Section  3.2.2. 


Examples.  Suppose  the  database  schema  has  two  relations,  Mgr  (Manager , 
Department)  and  Emp (Employee,  Department).  Then  the  following  are  up¬ 
dates,  with  their  approximate  intended  semantics  offered  in  italics: 

INSERT  Emp  (Reid,  e)  A  (e=CSD  V  e=EE)  WHERE  ->Mgr  (Nilsson, CSL).  In  al¬ 
ternative  worlds  where  Nilsson  doesn’t  manage  CSL,  insert  the  fact  that  Reid 
is  in  one  of  CSD  and  EE. 

INSERT  -i  Emp  (Reid,  e)  WHERE  -iMgr  (Nilsson,  e)  A  Emp(Reid,e).  For  some  de¬ 
partment  Nilsson  does  not  manage,  delete  the  fact  that  Reid  is  in  that  depart¬ 
ment. 

INSERT  F  WHERE  ^ Emp  (Reid ,  CSL) .  Eliminate  all  alternative  worlds  where  Reid 
isn’t  in  CSL. 

INSERT  ->Emp  (Reid,  CSL)  A  Emp  (Reid,  e)  WHERE  Emp  (Reid,  CSL).  In  any  alter¬ 
native  worlds  where  Reid  was  in  CSL,  reduce  that  belief  to  just  believing  that  he 
is  in  some  department. 


INSERT  -i Emp  (Reid ,  e)  WHERE  T.  Insert  the  fact  that  Reid  is  not  a  member  of 
every  department. 


3.2.2.  Update  Semantics 


We  define  the  semantics  of  am  update  operating  on  an  extended  relational  theory 
T  by  its  desired  effect  on  the  models  of  T.  In  particular,  the  alternative  worlds  of 
the  updated  relational  theory  must  be  the  same  as  those  obtained  by  applying  the 
update  separately  to  each  original  alternative  world.  In  database  terms,  this  may 
be  rephrased  as  follows:  The  database  with  incomplete  information  represents  a 
(possibly  infinite)  set  of  alternative  worlds,  or  complete-information  relational 
databases,  each  different  and  each  one  possibly  the  read,  unknown  world.  The 
correct  restilt  of  an  update  is  that  obtained  by  storing  a  separate  database  for 
each  alternative  world  and  running  the  update  in  parallel  on  each  separate  data¬ 
base.  A  necessary  and  sufficient  guarantee  of  correctness  for  any  more  efficient 
and  practical  method  of  update  processing  is  that  it  produce  the  same  results 
for  updates  as  the  parallel  computation  method.  Equivalently,  we  require  that 
the  diagram  below  be  commutative:  both  paths  from  upper-left-hand  comer  to 
lower-right-hand  comer  must  produce  the  same  result. 


has  alternative  world 
T - >A 


update 
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The  general  criteria  guiding  our  choice  of  semantics  are,  first,  that  the 
semantics  agree  with  traditional  semantics  in  the  case  where  the  update  request 
is  to  insert  or  delete  a  single  atom,  or  to  modify  one  atom  to  be  another.  Second, 
an  update  cannot  directly  change  the  truth  valuations  of  any  atoms  except  those 
that  unify  with  atoms  of  a;.  For  example,  the  update  INSERT  Emp(Reid,  CSD) 
WHERE  T  cannot  change  the  department  of  any  employee  but  Reid,  and  cannot 
change  the  truth  valuation  of  formulas  such  as  Mgr(Nilsson,  CSD). 

Two  more  important  criteria  are  that  the  new  information  in  ui  is  to  rep¬ 
resent  the  most  exact  and  most  recent  state  of  knowledge  obtainable  about  the 
atoms  that  the  update  inserts;  and  the  update  is  to  override  all  previous  infor¬ 
mation  about  these  atoms.  These  two  criteria  have  a  syntactic  component:  one 
should  not  necessarily  expect  two  updates  with  logically  equivalent  u>s  to  pro¬ 
duce  the  same  results.  For  example,  the  update  INSERT  T  WHERE  T  is  different 
from  INSERT  Emp(Reid,  CSD)V~'Emp(Reid,  CSD)  WHERE  T;  one  update  reports 
no  change  in  the  information  available  about  Reid’s  department,  and  the  other 
reports  that  whether  Reid  is  in  CSD  is  now  unknown. 

For  a  formal  definition  of  semantics  that  meets  the  criteria  outlined  in 
this  section,  let  U  be  a  null-free  update  and  let  M  be  a  model  of  an  extended 
relational  theory  T.  Then  U(M)  contains  just  M  if  <t>  is  false  in  M.  Otherwise, 
U(M)  contains  every  model  M!  with  the  same  universe  and  mappings  as  M, 
such  that 

(1)  M'  agrees  with  M  on  the  truth  valuations  of  all  null-free  atoms  except 
possibly  those  in  u>‘,  and 

(2)  u  is  true  in  M! .  0 

Example.  If  the  user  requests  INSERT  Emp(Reid,  CSD)  V  Emp(Reid,  EE) 
WHERE  T,  then  three  models  are  created  from  each  model  M  of  T :  one  where 
Reid  is  in  both  CSD  and  EE,  one  where  Reid  is  just  in  CSD,  and  one  where  Reid 
is  just  in  EE — regardless  of  whether  Reid  was  in  CSD  or  EE  in  M  originally. 
0 


For  simplicity,  the  semantics  of  U  has  been  defined  in  terms  of  U's  effect 
on  the  model  M  rather  than  in  terms  of  IPs  effect  on  the  alternative  world 
represented  by  M.  However,  because  the  semantics  is  independent  of  the  truth 
valuations  of  history  atoms  in  .M ,  U  will  have  the  same  effect  (i.e.,  produce  the 
same  alternative  worlds)  on  every  model  representing  the  same  alternative  world 
as  M.. 

The  remarks  at  the  beginning  of  this  section  on  correctness  of  update 
processing  may  be  summed  up  in  the  following  definition: 

Definition.  Given  two  extended  relational  theories  T  and  T',  T'  ac¬ 
complishes  the  null-free  update  U  if 

Worlds(T')  =  1J  Worlds(C7(At)).  0 

•MGModels(T) 
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This  semantics  must  be  extended  to  cover  the  case  where  Skolem  constants 
occur  in  U .  Intuitively,  the  essential  idea  is  that  if  the  user  only  had  more  infor¬ 
mation,  the  user  would  not  be  requesting  an  update  containing  Skolem  constants, 
but  rather  an  ordinary  update  without  Skolem  constants.  Under  this  assump¬ 
tion,  the  correct  way  to  handle  an  update  U  with  Skolem  constants  is  to  consider 
all  the  possible  null— free  updates  represented  by  U  and  execute  each  of  those  in 
parallel,  collecting  the  alternative  worlds  so  produced  in  one  large  set.  Then  the 
result  of  the  update  the  user  would  have  requested  had  more  information  been 
available  is  guaranteed  to  be  in  that  set. 

For  a  more  formal  definition,  a  bit  of  new  terminology  is  needed.  If  U 
is  the  update  INSERT  w  WHERE  <f>  and  a  is  a  substitution,  then  let  (U)e  be  the 
update  INSERT  (w),  WHERE  {4>)a.  If  T  is  a  theory  or  set  of  wffs,  then  let  (T),  be 
the  theory  resulting  from  applying  a  to  each  formula  in  T. 

Definition.  Given  two  extended  relational  theories  T  and  T',  T'  accom¬ 
plishes  the  update  U  if 

Worlds(T')  =  |J  Worlds  {{U)a{M)\ 

A<€ModeU(T) 

where  a  is  the  Skolem  constant  substitution  for  M  with  respect  to  U.  0 

A  moment’s  examination  of  the  semantics  given  earlier  shows  that  this 
definition  simply  amounts  to  replacing  u>  in  rules  1  and  2  by 

The  advantage  of  this  approach  to  null  values  in  updates  is  that  a  asso¬ 
ciates  any  Skolem  constant  t  that  occurs  in  both  U  and  T  with  the  same  element 
in  M ,  so  that  the  user  can  directly  refer  to  entities  such  as  “that  department  that 
we  earlier  noted  that  Reid  is  in,  though  we  didn’t  know  exactly  which  department 
it  was.” 

Example.  If  Vx-iiZ(x)  is  true  in  M  and  we  then  insert  R(ei)ViZ(e2)  into 
M,  then  U(M)  will  contain  every  model  M!  such  that  just  one  or  two  null-free 
atoms  of  R  are  true  in  Ad*,  with  truth  valuations  for  other  datoms  unchanged. 
0 


Under  these  definitions,  the  traditional  relational  operations  of  DELETE 
and  MODIFY  can  be  phrased  as  INSERT  requests  as  follows:  to  delete  a  datom  t  in 
all  alternative  worlds  where  <f>  is  true,  use  the  update  INSERT  ->t  WHERE  <j>.  For 
example,  INSERT  ->Emp(Reid,  CSL)  WHERE  T  will  “delete”  the  atom  Emp(Reid, 
CSL)  from  the  Emp  relation.  To  modify  a  datom  t  to  be  a  different  datom  u/,  use 
the  update  INSERT  u  A  ->t  WHERE  <j>At.  For  example,  to  change  Reid’s  department 
from  CSL  to  CSD,  use  the  update  INSERT  Emp(Reid,  CSD)A->Emp(Reid,  CSL) 
WHERE  Emp(Reid,  CSL). 
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3.3.  The  Update  Algorithm 

The  semantics  presented  in  the  previous  section  describes  the  effect  of  an  update 
on  the  models  of  a  theory;  the  semantics  gives  no  hints  whatsoever  on  how  to 
translate  that  effect  into  changes  in  the  extended  relational  theory.  An  algorithm 
for  performing  updates  cannot  proceed  by  generating  models  from  the  theory  and 
updating  them  directly;  this  is  because  the  number  of  non-isomorphic  models  may 
be  exponential  in  the  length  of  the  theory,  and  it  may  be  very  difficult  to  find 
even  one  model,  as  that  is  equivalent  to  satisfiability  testing  of  the  theory.  Any 
update  algorithm  must  find  a  more  efficient  way  of  implementing  this  semantics. 

The  Update  Algorithm  proposed  in  this  section  for  incorporating  updates 
into  an  extended  relational  theory  T  may  be  summarized  as  follows:  For  each 
atom  f  in  T  that  unihes  with  an  atom  of  u,  replace  all  occurrences  of  f  in  T  by 
a  history  atom.  *  Then  add  a  new  formula  to  T  that  defines  the  correct  truth 
valuation  of  f  when  <j>  is  false,  and  another  formula  to  give  the  correct  valuation 
of  f  when  <f>  is  true. 

Before  a  more  formal  presentation  of  the  Update  Algorithm,  let  us  mo¬ 
tivate  its  workings  in  a  series  of  examples  that  will  illustrate  the  problems  and 
principles  underlying  the  algorithm. 

3.3.1.  A  Simple  Example 

Let  the  body  of  T  be  -iEmp(Reid,  CSL),  and  the  new  update  be  INSERT 
Emp(Reid,  CSL)  WHERE  T. 

One’s  natural  instinct  is  to  add  to  T,  because  the  update  says  that 

u  is  to  be  true  in  all  alternative  worlds  where  <f>  is  true  now.  Unfortunately,  u; 
probably  contradicts  the  rest  of  T.  For  example,  adding  T-+Emp(Reid,  CSL)  to 
T  makes  T  inconsistent,  because  T  already  contains  Emp(Reid,  CSL).  Evidently 
us  may  contradict  parts  of  T,  and  those  parts  must  be  removed  from  T ;  in  this 
case  it  would  suffice  to  simply  remove  the  formula  ->Emp(Reid,  CSL). 

But  suppose  that  the  body  of  T  contains  more  complicated  formulas: 
Mgr(Nilsson,  CSD)<-*->Emp(Reid,CSD)  and  Mgr(Nilsson,  CSL)+-»->Emp(Reid, 
CSD).  One  cannot  simply  excise  ->Emp(Reid,  CSL)  or  replace  it  by  a  truth  value 
without  changing  the  models  for  the  remaining  atoms  of  T ;  but  by  the  semantics 
for  updates,  no  datom  truth  valuation  except  that  of  Emp(Reid,  CSL)  can  be 
affected  by  the  requested  update. 

The  solution  to  this  problem  is  to  replace  all  occurrences  of  Emp(Reid, 
CSL)  in  T  by  another  atom.  However,  the  atom  used  must  not  be  part  of  any 
alternative  world,  as  otherwise  the  replacement  might  change  that  atom’s  truth 
valuation.  This  is  where  the  special  history  predicates  of  C  come  into  play;  we 
can  replace  each  atom  of  u>  by  a  history  atom  throughout  T,  and  make  only 
minimal  changes  in  the  truth  valuations  in  the  alternative  worlds  of  T.  In  the 

t  These  history  atoms  are  not  visible  externally,  i.e.,  they  may  not  occur  in  updates; 
they  are  for  internal  extended  relational  theory  use  only. 
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current  case,  Emp(Reid,  CSL)  is  replaced  by  ff£mp(Reid,  CSL,  U),  where  U  is  a 
unique  ID  for  the  current  update.  *  For  convenience,  we  will  write  #Emp(Reid, 
CSL,  U )  as  £f(Emp(Reid,  CSL),  U ),  to  avoid  the  subscript.  This  atom  may  look 
forbidding,  but  it  is  really  quite  simple;  read  it  as  “Reid  was  in  CSL  at  the  time 
of  update  U”.  The  datom  substitution  that  replaces  every  datom  /  of  u>  by  its 
history  atom  H(f,  U )  is  called  the  history  substitution  and  is  written  oh-  Again, 
H(f,U)  should  be  read  as  “/  was  true  at  the  time  of  update  U”. 

This  is  not  the  only  possible  means  of  removing  the  datoms  of  oj  from 
T.  Contradictory  wffs  may  be  ferreted  out  and  removed  without  using  history 
predicates,  by  a  process  such  as  that  used  by  Weber  [86]:  If  /  is  a  datom  of  u>  that 
is  a  subformula  of  a  wff  a,  then  replace  a  by  (a)£  V  (a)£.  Unfortunately,  in  the 
worst  case  such  a  process  will  multiply  the  space  required  to  store  the  theory  by 
a  factor  that  is  exponential  in  the  number  of  atoms  in  the  update.  In  addition,  if 
a  datom  /  of  u>  also  is  a  subformula  of  <j>,  then  once  /  is  removed  entirely  from  T, 
it  may  not  be  possible  to  identify  the  models  of  T  where  <j>  was  true,  i.e.,  where 
the  update  is  to  take  place.  Therefore  this  technique  is  useful  only  for  atoms 
of  uj  that  do  not  unify  with  any  atom  of  <f>.  Further,  this  technique  does  not 
extend  well  to  the  case  where  Skolem  constants  occur  in  U  or  T  (see  the  proof 
of  Theorem  7-1).  Finally,  when  this  method  is  used  it  is  expensive  to  specify  the 
correct  truth  valuations  for  the  datoms  of  ui  in  models  where  <j>  is  false.  As  its 
worst-case  characteristics  are  less  pleasant  than  when  a  history  substitution  is 
used,  this  technique  will  not  be  considered  further. 

Now  consider  a  slightly  more  complicated  update  U :  INSERT  Emp(Reid, 
CSL)  WHERE  Mgr(Nilsson,  CSL),  when  T  contains  just  -iEmp(Reid,  CSL).  As 
just  explained,  the  first  step  is  to  replace  this  body  by  (-«Emp(Reid,  CSL)),,*, 
i.e.,  ->fr(Emp(Reid,  CSL),  U).  Within  a  model  M  of  T,  this  step  interchanges 
the  truth  valuations  of  every  datom  /  in  u;  and  its  history  atom  H(f,U );  if  <f> 
was  true  in  Ad  initially,  then  {<f>)aB  is  now  true  in  Ad. 

It  is  now  possible  to  act  on  the  original  algorithmic  intuition  and  add 
{4>)t,B—*u  to  the  body  of  T,  establishing  correct  truth  valuations  for  the  atoms 
of  u  in  models  where  <f>  was  true  initially.  In  the  employee  example,  the  body  of 
T  now  contains  the  two  formulas 
->FT(Emp(Reid,  CSL),  U)  and 
Mgr(Nilsson,  CSL)— ►Emp(Reid,  CSL). 

Unfortunately,  the  fact  “if  Nilsson  is  not  the  manager  of  CSL  then  Reid  is 
not  in  CSL”  has  been  lost!  The  solution  is  to  also  add  formulas  governing  truth 
valuations  for  atoms  in  u>  when  <f>  is  false:  Add  (/  U))  V  (<£)„*  to  T  for 

each  atom  /  in  w.  In  other  words,  if  <f>  was  false  in  a  model  Ad  when  the  update 
began,  then  /  has  the  same  truth  valuation  in  Ad  as  it  did  originally.  Then  T 
contains 

t  If  the  argument  V  were  not  present,  then  a  similar  substitution  in  a  later  update 
involving  Emp(Reid,  CSL)  would  make  big  changes  in  the  alternative  worlds  of  T at  that  time. 
For  that  reason,  the  U  in  H(f,  U)  should  be  a  constant,  so  that  H(f,  U)  will  not  unify  with  any 
history  atom  used  in  any  other  update. 
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-i£f(Emp(Reid,  CSL),  U ), 

Mgr(Nilsson,  CSL)— ►Emp(Reid,  CSL),  and 

(Emp(Reid,  CSL)~ff(Emp(Reid,CSL),  U))  V  Mgr(Nilsson,  CSL). 

To  make  the  new  version  of  T  into  an  extended  relational  theory,  the 
new  atom  Mgr(Nilsson,  CSL)  must  be  represented  in  the  completion  axiom  for 
Mgr.  Once  this  is  done,  yet  another  problem  remains,  for  this  newest  theory  has 
models  in  which  Nilsson  manages  CSL,  even  though  the  completion  axioms  of 
the  original  theory  disallowed  that.  The  solution  is  to  add  -<Mgr(Nilsson,  CSL) 
to  the  body  of  T.  This  is  best  accomplished  at  the  very  beginning  of  the  update 
process,  before  the  history  substitution  is  applied.  If  we  retroactively  add  this 
wff,  T  now  has  the  desired  alternative  worlds. 

Reviewing  the  example,  we  see  that  the  update  process  falls  into  two 
phases.  The  first  phase  is  best  thought  of  as  a  preprocessing  stage,  where  T  is 
changed  by  representing  new  atoms  in  its  completion  axioms.  This  phase  does 
not  change  the  alternative  worlds  of  T.  In  the  second  phase,  the  alternative 
worlds  of  T  are  altered,  first  by  the  use  of  history  predicates,  and  then  by  the 
addition  of  formulas  governing  the  truth  valuation  of  atoms  in  w. 

3.3.2.  An  Example  with  Skolem  Constants 

The  informal  algorithm  proposed  so  far  does  not  work  when  Skolem  constants 
are  present  in  either  the  theory  or  the  update.  The  basic  difficulty  is  that  one 
must  update  every  atom  in  the  theory  that  unifies  with  something  in  u,  since 
truth  valuations  for  that  atom  might  possibly  be  changed  by  the  new  update. 
For  example,  suppose  the  body  of  T  contains  the  formula  Mgr(Nilsson,  e),  and 
the  new  update  is  INSERT  -<Mgr(Nilsson,  CSL)  WHERE  T.  In  other  words,  Nilsson 
was  known  to  manage  some  department,  and  is  now  known  not  to  manage  CSL, 
quite  possibly  because  he  has  just  resigned  that  position. *  A  moment’s  thought 
shows  that  quite  possibly  Nilsson  now  manages  no  departments  (e.g.,  if  he  has 
retired),  and  so  the  formula  Mgr(Nilsson,  e),  which  unifies  with  Mgr(Nilsson, 
CSL),  must  be  changed  in  some  way;  (e^CSL)— *Mgr(Nilsson,  e)  is  the  obvious 
replacement.  In  the  general  case,  it  is  necessary  to  replace  all  atoms  in  T  that 
unify  with  datoms  of  ui  by  history  atoms  as  part  of  the  history  substitution  step. 

Let’s  examine  one  final  example.  Suppose  the  theory  initially  contains  the 
wff  Mgr(Nilsson,  CSL)  and  the  new  update  takes  the  form  INSERT  Mgr(Nilsson, 
e)  WHERE  T,  implying  that  Nilsson  may  now  manage  another  department.  In  the 
first  phase  of  the  update,  Mgr(Nilsson,  e)  is  to  be  represented  to  the  completion 
axiom  for  Mgr,  without  changing  the  models  of  T.  In  earlier  examples,  it  sufficed 

t  In  other  words,  the  update  leaves  open  the  possibility  that  the  underlying  state  of  the 
world  has  changed.  To  say  that  Nilsson  does  not  manage  CSL,  while  retaining  the  belief  that 
Nilsson  manages  some  department,  the  appropriate  update  is  INSERT  F  WHERE  Mgr(Nilsson, 
CSL);  this  new  update  says  that  the  state  of  the  world  has  not  changed,  but  that  we  now  have 
more  information  about  its  state.  Although  both  updates  talk  about  Nilsson’s  department, 
their  semantics  are  quite  different. 
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to  add  a  disjunct  to  Mgr  and  add  ->Mgr(Nilsson,  e)  to  the  body  of  T.  Unfortu¬ 
nately,  this  procedure  would  change  the  alternative  worlds  of  T  by  permanently 
eliminating  the  possibility  that  e  is  CSL: 

Mgr(Nilsson,  CSL), 

->Mgr(Nilsson,  e). 

This  problem  arises  because  Mgr(Nilsson,  e)  already  is  an  implicit  subformula* 
The  solution  is  to  add  the  wff  Mgr(Nilsson,  e) — ►(e=CSL)  to  the  body  of 'T  rather 
than  ->Mgr(Nilsson,  e),  that  is,  to  add  the  fact  that  if  Nilsson  already  manages  a 
department  e,  then  e  must  be  a  department  already  mentioned  in  T  as  a  possible 
candidate  for  his  management. 

Continuing  with  phase  two  of  the  suggested  algorithm,  a  theory  is  pro¬ 
duced  containing  the  four  formulas 

ff(Mgr(Nilsson,  e),  U)  — *•  (e=CSL), 
if(Mgr(Nilsson,  CSL),  U), 

T— +Mgr(Nilsson,  e),  and 

(Mgr(Nilsson,  €)«-►  H (Mgr(Nilsson,  e),  U))V  T. 

Unfortunately,  this  theory  has  models  where  Mgr(Nilsson,  CSL)  is  false!  The 
problem  is  that  the  algorithm  does  not  yet  properly  take  care  of  the  alternative 
worlds  where  e  is  not  bound  to  CSL;  in  those  worlds,  Mgr(Nilsson,  CSL)  must 
still  be  true,  regardless  of  what  the  new  information  in  the  update  may  be.  The 
solution  is  to  add  (e^CSL)— ►(Mgr(Nilsson,  CSL)<-+if(Mgr(Nilsson,  CSL),  U))  to 
7*,  and  in  fact  this  new  theory  has  the  desired  alternative  worlds. 

3.3.3.  The  Algorithm 

The  lessons  of  the  preceding  examples  may  be  summarized  as  an  algorithm  for 
executing  an  update  U  given  by  INSERT  u>  WHERE  <f>  against  an  extended  relational 
theory  T. 

The  Update  Algorithm  (Version  I) 

Input.  An  extended  relational  theory  T  and  an  update  U . 

Output.  T',  an  updated  version  of  T. 

Procedure.  A  sequence  of  four  steps: 

Step  1.  Maintain  the  closed— world  assumption.  To  maintain  the  closed- 
world  assumption,  all  datoms  in  u>  and  <f>  need  to  be  represented  in  the  completion 
axioms  of  T.  First  change  the  body  of  T  to  reflect  the  new  completion  axioms: 
for  each  atom  g  that  is  a  subformula  of  w  or  ^  but  not  of  T,  let  So  be  the  set  of 
the  most  general  substitutions  c  such  that  for  some  datom  /  in  T,  /  unifies  with 

t  If  a  datom  f  is  not  a  subformula  of  a  wff  a,  but  there  is  a  substitution  <r  such  that  / 
is  a  subformula  of  (a)<r ,  then  /  is  an  implicit  subformula  of  a.  For  example,  R(c)  and  R(d)  are 
implicit  subformulas  of  J?(«)A(«=c).  of  T. 
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g  under  a.  If  S0  is  the  empty  set,  then  add  ->g  to  the  body  of  T ;  otherwise,  add 
the  wff 

9  -*  V  a  (l) 

to  the  body  of  T.  Then  for  every  datom  g  of  X  not  represented  in  the  completion 
axioms,  add  a  disjunct  representing  g  to  those  axioms.  Cedi  the  resulting  theory 
V. 


Example.  If  u>  contains  the  datom  R(a,  €2,  ),  and  the  body  of  T  contains 

the  datoms  fj(c3,c,  64)  and  ii(e4,c,c),  then  add  R(a,e 2,^1)  —*  ((a  =  €3)  A  (t2  = 
c)  A  (ei  =  €4))  V  ((a  =  €4)  A  (e2  =  c)  A  (ei  =  c))  to  the  body  of  T,  and  add 
the  disjunct  (xi  =  a)  A  (22  =  €2)  A  (23  =  tj)  to  the  completion  axiom  for  R. 
Intuitively,  Formula  (1)  says  that  if  g  is  true  in  some  model  of  T,  this  must  be 
because  g  has  unified  with  a  preexisting  atom  of  X  in  that  model. 

Step  2.  Make  history.  For  each  atom  /  in  X'  that  unifies  with  an  atom  of  w, 
replace  sill  occurrences  of  /  in  the  body  of  X'  by  the  history  atom  H(f,  U).  In 
other  words,  replace  the  body  B  of  X'  by  {B)ob. 

Step  3.  Define  the  scope  of  the  update.  Add  the  wff  (<f>)aB— ho  to  X'. 

Step  4.  Restrict  the  scope  of  the  update.  For  each  datom  /  in  <7#,  let  E 
be  the  set  of  all  most  general  substitutions  a  under  which  /  unifies  with  am  atom 
of  u.  Add  the  wff 

(/«»(/,  CO)  v  (W„,  aV»)  (2) 

<t€£ 

to  X' .  Intuitively,  for  /  an  atom  that  might  possibly  have  its  truth  valuation 
changed  by  update  U ,  formula  (2)  says  that  the  truth  valuation  of  /  can  change 
only  in  a  model  where  </>  was  true  originally,  and  further  that  in  any  model  so 
created,  /  must  be  unified  with  an  atom  of  u.  0 

Exemnple.  Let  the  body  of  T  be  the  wff 
->Emp(Reid,  CSD)AEmp(Reid,  CSL)A  Mgr(Nilsson,  c), 

and  the  update  be  INSERT  Emp(Reid,  e)  A  (e^EE)  WHERE  T.  Then  the  alterna¬ 
tive  worlds  of  T  initially  consist  of  all  worlds  where  Reid  is  in  CSL  and  Nilsson 
manages  some  one  department.  After  the  update,  the  alternative  worlds  should 
be  those  where  Reid  is  in  CSL  and  Reid  is  in  a  department  managed  by  Nilsson, 
and  that  department  is  not  EE. 

Step  1.  Add  the  wff  Emp(Reid,  e)— ►((e=CSD)  V(e=CSL))  to  the  body  of 
T,  and  the  corresponding  disjunct  to  the  completion  axiom.  Note  that  Step  1 
does  not  change  the  alternative  worlds  of  the  theory. 

Step  2.  Replace  Emp(Reid,  CSD),  Emp(Reid,  CSL),  and  Emp(Reid,  e) 
by  ff(Emp(Reid,  CSD),  U ),  ff(Emp(Reid,  CSL),  U),  and  U(Emp(Reid,  e),  U) 
respectively.  The  body  of  T'  now  contains  the  two  wffs 

-iif(Emp(Reid,  CSD),  U )  A  Jf(Emp(Reid,  CSL),  U)  A  Mgr(Nilsson,  e)  and 
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.ff(Emp(Reid,  e),  U)  -((e=CSD)V(e=CSL)). 

Step  3.  Add  the  wff  ( <f>)irH  —>u>  (i.e.,  T— ►(Emp(Reid,  e)A(e^EE)))  to  the 
body  of  V. 

Step  4.  Add  to  T'  the  three  wffs 
(Emp(Reid,  e)<-^fT(Emp(Reid,  e),  U ))  V  T, 

(Emp(Reid,  CSD)  ^fT(Emp(Reid,  CSD),  U ))  V  (  e=CSD),  and 
(Emp(Reid,  CSL)  ~tf(Emp(  Reid,  CSL),  U ))  V  (  e=CSL). 

Examination  of  Worlds(T')  shows  that  T'  accomplishes  U.  0 

The  models  of  T'  produced  by  the  Update  Algorithm  always  represent 
exactly  the  alternative  worlds  that  U  is  defined  to  produce  from  T : 

Theorem  3-1.  Given  an  extended  relational  theory  T  and  an  update  U, 
the  extended  relational  theory  T'  produced  by  the  Update  Algorithm  Version  I 
accomplishes  U.  0 

In  other  words,  Worlds(T')  =UA<eModei*(T)  Worlds(Z7(Ai)).  Theorem  3-1 
is  not  proven  here,  as  it  follows  immediately  from  Theorem  4-1. 

3.4.  Computational  Complexity  of  the  Update  Algorithm 

Let  the  size  of  a  wff  be  defined  as  the  number  of  occurrences  of  atoms  in  the 
wff,  and  let  the  size  of  an  update  U  be  the  sum  of  the  sizes  of  <f>  and  u>.  Let  U 
be  an  update  of  size  fc;  and  let  R  be  the  maximum  number  of  distinct  datoms 
of  T  over  the  same  predicate.  When  T  and  U  contain  no  Skolem  constants, 
the  Update  Algorithm  will  process  U  in  time  0(k  log  R)  (the  same  asymptotic 
cost  as  for  ordinary  database  updates)  and  increase  the  size  of  T  by  O(k)  worst 
case.  This  is  not  to  say  that  an  0(k  log  R)  implementation  of  updates  is  the  best 
choice;  rather,  it  is  advisable  to  devote  extra  time  to  heuristics  for  minimizing 
the  length  of  the  formulas  to  be  added  to  T.  Nonetheless,  a  worst-case  time 
estimate  for  the  algorithm  is  informative,  as  it  tells  us  how  much  time  must  be 
devoted  to  the  algorithm  proper.  The  implementation  assumptions  necessary 
for  this  estimate  to  be  achieved  are  described  in  the  chapter  on  implementation, 
Chapter  9.  Further,  we  assume  that  the  schema  is  fixed,  i.e.,  that  the  number  of 
predicates  is  a  constant. 

When  Skolem  constants  occur  in  T  or  in  U,  the  controlling  factor  in  costs 
is  the  number  of  atoms  of  T  that  unify  with  atoms  of  U.  If  n  atoms  of  T  each 
unify  with  one  atom  of  U,  then  T  will  grow  by  0(n  +  k).  In  the  worst  case, 
every  atom  of  T  may  unify  with  every  atom  of  U,  in  which  case  after  a  series  of 
m  updates,  the  number  of  occurrences  of  atoms  in  T  may  multiply  by  0(mk). 
Theorem  3-2  summarizes  these  properties. 

Theorem  3-2.  Let  T  be  an  extended  relations!  theory  contsuning  n  differ¬ 
ent  datoms  (not  occurrences  of  datoms)  having  Skolem  constants  as  arguments. 
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Let  k  be  a  constant  that  is  an  upper  bound  on  the  size  of  updates.  Then  after  a 
series  of  m  updates  not  containing  Skolem  constants  is  performed  by  the  Update 
Algorithm,  in  the  worst  case  the  size  of  T  will  increase  by  0(nmk).  Under  a 
series  of  m  updates  containing  Skolem  constants,  in  the  worst  case  the  size  of  T 
will  increase  by  0(nmk  +  m2k2).  0 

Proof  of  Theorem  3-2.  We  show  the  space  requirements  for  each  step 
of  the  Update  Algorithm. 

Let  g  be  a  datom  of  U,  the  first  of  the  m  updates.  If  g  already  is  a 
subformula  of  T,  then  nothing  is  added  to  T  for  g  in  Step  1.  Otherwise,  g  is  not 
a  subformula  of  T,  and  the  number  of  datoms  in  T  that  unify  with  g  determines 
the  size  of  So  in  Step  1.  By  assumption,  g  unifies  with  at  most  n  datoms  of  T.  By 
assumption,  the  predicates  in  C  are  fixed,  and  hence  each  substitution  a  in  Eo  is 
of  size  bounded  by  a  constant.  Therefore  at  most  0(nk)  occurrences  of  atoms  are 
added  to  T  for  U.  Under  a  series  of  m  updates  not  containing  Skolem  constants, 
Step  1  can  add  as  many  as  0(nmk)  occurrences  of  atoms  to  T'.  If  the  updates 
contain  Skolem  constants,  then  each  update  can  add  k  datoms  containing  Skolem 
constants  to  T,  so  that  the  first  update  after  U  may  have  a  So  of  size  n  +  k,  the 
second  may  have  size  n  +  2k,  and  so  on.  As  there  may  be  k  choices  of  Do  for  each 
update,  after  m  updates  the  size  of  this  compounding  factor  is  0(m2k2). 

Step  2  does  not  change  the  size  of  T1.  Step  3  adds  O(k)  occurrences  of 
atoms  to  T'. 

For  Step  4  of  update  U,  a  trick  is  helpful  to  keep  down  the  size  of  formula 
(2).  It  can  be  quite  expensive  to  repeatedly  add  to  T'  for  every  choice 

of  /  in  formula  (2).  Much  more  efficient  is  to  add  a  single  wff  H(U)*-*(<f>)ITB  to 
T'  before  Step  4,  and  then  use  H(U )  in  place  of  (4>)<tb  in  all  instantiations  of 
formula  (2).  ( H(U )  is  simply  a  history  atom  not  unifying  with  any  atom  in  T'.) 
We  assume  that  this  measure  is  taken,  incurring  a  cost  of  0 (k)  atoms  per  update. 

If  U  does  not  contain  Skolem  constants,  there  are  at  most  n  +  1  datoms 
in  T'  that  unify  with  a  datom  of  u>,  giving  a  maximum  of  n  +  1  choices  for  /  in 
formula  (2).  (If  U  contains  Skolem  constants,  there  may  be  as  many  as  n  +  k  such 
datoms  in  T' .)  Let  /  be  a  datom  in  T'  that  unifies  with  a  datom  of  w.  The  size 
of  formula  (2)  for  g  is  O(k)  worst  case,  so  the  cost  of  instantiating  formula  (2) 
for  U  will  be  0(nk )  (or  0((n  +  k)k,  if  U  contains  Skolem  constants).  Therefore 
under  a  series  of  m  updates  not  containing  Skolem  constants,  Step  4  will  add  up 
to  0(nmk)  occurrences  of  atoms  to  T'.  If  the  updates  contain  Skolem  constants, 
then  each  update  can  add  k  datoms  containing  Skolem  constants  to  T,  so  that 
again  a  compounding  factor  of  0(m2k2)  appears.  0 

As  for  the  time  complexity  of  the  Update  Algorithm,  let  us  assume  that  an 
indexing  scheme  is  available  that  enables  any  datom  to  be  located  in  T  in  0( log  R) 
time.  Then  the  running  time  of  the  Update  Algorithm  is  O(knlogR)  worst  case. 
This  estimate  assumes  that  the  history  step  (Step  2)  is  optimized  through  special 
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data  structures  (see  Chapter  9):  the  body  of  the  extended  relational  theory  must 
be  represented  as  a  set  of  logical  relationships  between  pointers.  All  occurrences 
of  a  single  datom  in  the  body  Eire  linked  together  in  a  chain  of  pointers;  only  the 
head  of  the  chain  points  to  the  stored  record  for  the  actual  datom. 

Happily,  a  large  class  of  common  types  of  updates — those  with  very  simple 
u  and  <f> — can  be  performed  in  0(k  log  R )  time  per  update;  Abiteboul  and  Grahne 
[Abiteboul  85]  examine  a  subset  of  these  simple  updates.  For  the  general  case, 
however,  potential  growth  of  0(nmk )  in  the  size  of  T  is  much  too  large,  yet 
is  unavoidable  if  the  effect  of  the  update  is  to  be  represented  directly  in  the 
extended  relational  theory,  for  every  datom  of  T  that  is  an  implicit  subformula 
of  the  update  must  be  changed  in  some  way  in  T.  In  some  sense  the  information 
content  of  a  single  update  is  no  more  than  its  size,  k ,  and  so  growth  of  more 
than  0(mk)  after  m  updates  is  too  much.  We  can  achieve  growth  of  no  more 
than  0(mk)  by  simply  storing  the  updates  without  incorporating  them  into  T. 
However,  since  query  answering  presupposes  some  means  of  integrating  updates 
with  the  rest  of  the  database  to  allow  satisfiability  testing,  a  means  of  at  least 
temporary  incorporation  must  be  offered.  We  have  devised  a  scheme  of  delayed 
evaluation  and  simplification  of  expensive  updates,  by  bounding  the  permissible 
number  of  unifications  for  the  atoms  of  an  incoming  update.  This  lazy  evaluation 
technique  is  discussed  in  Chapter  5. 

3.5.  Summary  and  Conclusion 

In  this  chapter  we  formalized  databases  containing  incomplete  information  as 
logical  theories,  and  viewed  the  models  of  these  extended  relational  theories  as 
representing  possible  states  of  the  world  that  axe  consistent  with  all  known  in¬ 
formation.  For  the  purposes  of  this  chapter,  formulas  in  the  body  of  an  ex¬ 
tended  relational  theory  could  be  any  sentences  without  universal  quantification. 
Typically  incomplete  information  appears  in  these  theories  as  disjunctions  or  as 
Skolem  constants  (a.k.a.  null  values). 

Within  this  context,  we  set  forth  a  data  manipulation  language  for  up¬ 
dates,  and  gave  model-theoretic  definitions  of  the  meaning  of  these  updates.  We 
presented  the  Update  Algorithm  as  a  means  of  incorporating  updates  into  ex¬ 
tended  relational  theories,  and  proved  it  correct  in  the  sense  that  the  alternative 
worlds  produced  under  the  Update  Algorithm  are  the  same  as  those  produced  by 
updating  each  alternative  world  individually. 

For  extended  relational  theories  and  updates  without  Skolem  constants, 
the  Update  Algorithm  has  the  same  asymptotic  cost  as  for  an  ordinary  complete- 
information  database  update,  but  may  increase  the  size  of  the  extended  relational 
theory.  For  updates  involving  Skolem  constants,  the  increase  in  size  will  be  severe 
if  many  atomic  formulas  in  the  theory  unify  with  those  in  the  update.  Chapter  5 
is  devoted  to  a  discussion  of  a  means  of  preventing  excessive  growth  in  the  theory. 

We  conclude  that,  first,  one  may  extend  the  concept  of  a  database  update 
to  databases  with  incomplete  information  in  a  natural  way;  second,  that  mathe¬ 
matical  logic  is  a  fruitful  paradigm  and  tool  for  the  investigation;  third,  that  one 


24 


may  construct  an  algorithm  to  perform  these  updates  with  a  reasonable  poly¬ 
nomial  running  time;  and  lastly,  that  some  means  is  needed  to  prevent  runaway 
growth  in  the  database  under  a  series  of  updates. 
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Chapter  4:  Updates  With  Variables 


We  now  consider  how  to  extend  the  Update  Algorithm  to  accept  updates 
with  variables — the  type  of  update  supported  by  traditional  data  manipulation 
languages.  The  two  main  results  shown  in  this  chapter  axe,  first,  that  updates 
containing  variables  axe  no  harder  to  perform  than  updates  without  variables, 
provided  that  variables  and  quantifiers  axe  permitted  in  the  bodies  of  extended 
relational  theories;  and  second,  that  if  quantifiers  and  variables  sire  not  permitted 
in  theory  bodies,  updates  axe  somewhat  harder  to  perform  but  a  reasonable 
algorithm  is  still  possible,  and  its  cost  will  depend  on  the  number  of  substitutions 
for  variables  that  lead  to  a  satisfiable  selection  clause  <f>.  In  addition,  the  algorithm 
given  in  this  chapter  for  updating  extended  relational  theory  bodies  containing 
quantifiers  is  sufficiently  general  to  use  in  updating  any  first-order  theory. 

Please  note  that  variables  will  be  permitted  to  occur  in  updates  for  the 
duration  of  this  chapter  only;  subsequent  chapters  consider  only  ground  updates, 
except  when  specifically  noted  otherwise. 

4.1.  Update  Syntax 

As  usual,  we  confine  our  attention  to  INSERT  requests:  INSERT  u  WHERE  <f>.  The 
only  change  required  in  update  syntax  is  that  variables  may  now  occur  in  <f>  and 
u>. 


4.2.  Update  Semantics 

We  begin  by  presenting  a  desideratum  for  the  extension  of  update  semantics 
to  updates  with  variables:  the  chosen  semantics  should  agree  with  traditional 
semantics  for  relational  data  manipulation  language  updates  with  variables. 

As  an  approach  that  meets  this  desideratum,  let  an  extended  relational 
theory  update  U  containing  variables  correspond  to  a  set  of  updates  without 
variables,  derived  by  binding  constants  and  Skolem  constants  to  all  the  variables 
of  U.  If  we  apply  every  possible  binding*  to  the  variables  of  U,  then  the  result  of 
applying  U  to  an  extended  relational  theory  T  should  be  that  of  simultaneously 
applying  all  the  updates  in  the  (probably  infinite)  set  just  generated. 

To  rephrase  this  definition  more  formally,  let  U :  INSERT  u>  WHERE  <j>  be  an 
update  containing  variables.  Let  M  be  a  model  of  an  extended  relational  theory 
T,  and  let  o  be  the  Skolem  constant  substitution  for  M  with  respect  to  <f>  and 

*  Strictly  speaking,  this  imagery  is  inadequate  because  not  all  elements  of  the  universe 
are  named  in  C.  Rather,  one  should  consider  an  extension  of  C  for  each  model  in  which  all  the 
elements  in  the  model  are  named. 
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w.  Let  Et,  be  the  desired  set  of  substitutions  uv  for  all  the  variables  of  <f>  and 
u).  Let  ft  be  the  set  of  all  wffs  such  that  av  is  in  £„,  ((f>)av  is  true  in  M , 

and  ({<*>)*„)<,  is  satisfiable.  Then  U(M)  contains  every  model  M'  with  the  same 
universe  and  mappings  as  M,  such  that 

(1)  Ai'  agrees  with  M  on  the  truth  valuations  of  all  null-free  atoms  except 
possibly  those  in  ft; 

(2)  All  members  of  ft  axe  true  in  M'.  0 

An  extended  relational  theory  T'  accomplishes  U(T)  if  Worlds(T')  = 
IW—KT)  Worlds(F(A<)). 

Examples.  Consider  the  following  three  updates,  to  be  applied  to  an 
extended  relational  theory  T  with  body  Emp(Reid,  ei): 

1.  INSERT  Emp(Reid,  x)  WHERE  ->Emp(Reid,  x) 

2.  INSERT  Emp(Reid,  ei)  WHERE  ->Emp(Reid,  ei) 

3.  INSERT  Emp(Reid,  e2)  WHERE  ->Emp(Reid,  e2) 

The  first  update  applied  to  a  model  M  of  T  makes  Reid  an  employee  of 
all  departments  in  M!  (and  therefore,  depending  on  the  domains  involved  and 
the  method  used  to  calculate  E„,  may  be  unsafe).  The  second  update  does  not 
change  the  models  of  T  at  all;  and  the  third  update  produces  all  models  where 
Reid  is  in  one  or  two  different  departments.  0 

If  U  does  not  contain  variables  and  w  is  satisfiable,  U  will  produce  one  or 
more  models  from  every  model  M.  to  which  U  is  applied.  Once  variables  occur 
in  U ,  this  ceases  to  be  true.  For  example,  the  update  INSERT  f?(x)A—|f?(y) WHERE 
x^y  will  probably  be  ill-advised  when  applied  to  a  theory  containing  R{a)  A  R(b), 
because  it  asks  for  R(a)  and  R(b)  to  be  both  true  and  false:  R(a)A~'R(b),  and 
R(b)A~iR(a).  We  will  not  provide  any  syntactic  means  of  avoiding  conflicting 
updates;  in  our  system,  conflicting  updates  simply  eliminate  models  where  a 
conflict  arises. 

4.3.  An  Update  Algorithm:  No  Variables  in  Body 

This  section  presents  an  update  algorithm  for  use  with  extended  relational  theo¬ 
ries  without  quantifiers  and  variables  in  the  theory  body — the  type  of  extended 
relational  theory  studied  so  far.  Section  4.4  presents  an  algorithm  for  use  when 
quantifiers  and  variables  may  occur  in  the  theory  body. 

The  semantics  for  updates  with  variables  presented  in  Section  4.2  does  not 
directly  lend  itself  to  algorithmic  application  when  quantifiers  and  variables  are 
not  allowed  in  the  body  of  T.  We  must  ensure  that  all  but  a  finite  number  of 
the  substitutions  erv  used  lead  to  updates  that  do  not  change  the  models  of  T 
at  all.  If  this  is  true,  then  all  the  substitutions  that  generate  no-op  updates  can 
be  ignored:  only  a  finite  set  £„  of  substitutions  will  be  relevant.  The  method 
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traditionally  used  in  database  data  manipulation  languages  to  guarantee  a  finite 
is  the  use  of  safe  selection  clauses  [Ullman  82].  An  adaptation  of  the  concept 
presented  there  to  the  incomplete  information  situation  might  be  to  include  a 
substitution  ov  in  Et.  iff  o v  substitutes  constants  and  Skolem  constants  already 
occurring  in  T  or  U  for  all  the  variables  of  U .  A  domain  completion  axiom  can 
be  employed  to  this  end.  Another  technique  would  be  to  require  typed  selection 
clauses,  that  is,  to  have  type  axioms  (see  Chapter  6)  and  require  that  the  selection 
clause  specify  the  type  of  all  variables;  INGRES  [Stonebraker  85]  and  System  R 
[Chamberlain  76]  use  a  variant  of  this  technique.  We  choose  not  to  dictate  the 
choice  of  a  safe  query  mechanism,  but  rather  operate  on  the  assumption  that  one 
way  or  another,  the  query  and  update  processor  knows  how  to  reduce  an  update 
with  variables  to  a  finite  set  of  ground  updates.  In  practice  in  today’s  database 
management  systems,  determination  of  £„  is  typically  initiated  via  index  lookup 
on  selection  and  join  attributes.  As  is  true  in  ordinary  databases  when  variables 
occur  in  updates,  an  update  with  variables  will  often  require  more  changes  in  the 
extended  relational  theory  than  a  ground  update  does,  because  each  instantiation 
of  variables  represents  an  additional  change  to  be  made  in  the  theory. 

The  essential  idea  of  the  update  algorithm  is  to  create  one  ground  update 
for  each  substitution  <rv  in  We  do  not  require  that  (<f>)„v  actually  be  true 
in  some  model  of  T,  as  such  a  condition  is  equivalent  to  testing  satisfiability, 
and  hence  might  require  exponential  time  to  verify.  The  generation  of  £„  should 
be  done  by  the  algorithms  used  for  query  processing,  and  should  require  time 
polynomial  in  the  size  of  the  extended  relational  theory  and  exponential  in  the 
length  of  the  update  request. 

We  now  present  an  extension  of  the  Update  Algorithm  Version  I  to  handle 
updates  with  variables.  The  new  Update  Algorithm  must  take  into  account  that 
an  atom  of  T  may  be  affected  simultaneously  in  several  different  ways  by  different 
instantiations  of  the  variables  in  an  update. 

The  Update  Algorithm  (Version  II) 

Input.  An  extended  relational  theory  T,  an  update  U  and  a  set  E„  of  substitu¬ 
tions  ov  for  all  the  variables  of  U. 

Output.  T\  an  updated  version  of  T. 

Procedure.  A  sequence  of  four  steps: 

Step  1.  Maintain  the  closed— world  assumption.  To  maintain  the  closed- 
world  assumption,  all  datoms  in  (a?)^  and  (<£)*„,  for  all  <r„  €£„,  must  be  repre¬ 
sented  in  the  completion  axioms  of  T.  First  change  the  body  of  T  to  reflect  the 
new  completion  axioms:  for  each  datom  g  that  is  a  subformula  of  some  (u)Vv  or 
but  not  of  T,  let  So  be  the  set  of  substitutions  a  such  that  for  some  datom 
/  of  the  body  of  T,  /  unifies  with  g  under  the  most  general  substitution  o.  If  E0 
is  the  empty  set,  then  add  ->g  to  the  body  of  T ;  otherwise,  add  the  wff 

9  -*  V  °  ( 1 ) 
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to  the  body  of  T.  Then  for  every  datom  g  of  T  not  represented  in  the  completion 
axioms,  add  a  disjunct  representing  g  to  those  axioms.  Call  the  resulting  theory 
V. 

Step  2.  Make  history.  For  each  atom  /  of  the  body  of  T'  that  unifies  with  an 
atom  of  (w)^  for  some  <7„€E„,  replace  till  occurrences  of  /  in  the  body  of  T‘  by 
the  history  atom  H(f,  U).  In  other  words,  replace  the  body  B  of  T'  by  (B)„H. 
Step  3.  Define  the  scope  of  the  update.  For  every  erv  in  E„,  add  the  wff 
tO  T'. 

Step  4.  Restrict  the  scope  of  the  update.  For  each  ov  and  each  datom  / 
in  a  Hi  let  £v/  be  the  set  of  substitutions  a  such  that  /  unifies  with  an  atom  of 
some  (oj)ITv  under  the  most  general  substitution  a.  For  each  datom  /  in  <rj/,  add 
tlic  wff 

V~HV,V))V  V  (((«..).«  A  (  V  »))  (2) 

to  T' .  Intuitively,  for  /  an  atom  that  might  possibly  have  its  truth  valuation 
changed  by  update  U,  formula  (2)  says  that  the  truth  valuation  of  /  can  change 
only  in  a  model  where  (4>)<rv  (for  some  av)  was  true  originally,  and  further  that 
in  any  model  so  created,  /  must  be  unified  with  an  atom  of  (u>)trv  for  that  same 
(Tv.  0 

Example.  Let  U  be  INSERT  -«Emp(Reid,  x)  WHERE  Emp(Reid,  x),  when  T 
contains  Emp(Reid,  CSD)A  Emp(Reid,  ei).  The  alternative  worlds  of  T  initially 
consist  of  all  worlds  where  Reid  is  in  CSD  and  possibly  one  other  department,  and 
all  else  is  false.  After  the  update,  T'  should  have  one  alternative  world,  in  which 
everything  is  false.  The  set  of  substitutions  E„  contains  the  two  substitutions 
x=CSD  and  x=ei. 

Step  1.  No  actions  are  required,  as  both  atoms  that  unify  with  (<*;)*„  are 
already  in  T. 

Step  2.  Upon  application  of  <7#,  the  body  of  T'  becomes 
JJ(Emp(Reid,  CSD),  U)  A  tf(Emp(Reid,  Cl),  U ). 

Step  3.  Two  wffs  are  added  to  the  body  of  T': 
if(Emp(Reid,  CSD),  U)  — ►-'Emp(Reid,  CSD)  and 
.ff(Emp(Reid,  ei),  U )  -+->Emp(Reid,  ej). 

Because  U  is  a  simple  update,  at  this  point  T'  already  has  the  correct  alternative 
worlds,  and  Step  4  is  superfluous. 

Step  4.  Add  to  T'  the  following  two  formulas: 

(Emp(Reid,  CSD)  Emp(Reid,  CSD),  U )) 

V  (H( Emp(Reid,  CSD),  17)A  T) 

V  (^(Emp(Reid,  ei),U)  A  (ej  =  c)) 
(Emp(Reid,  ei)  <-»if(Emp(Reid,  ei),  U )) 

V  (if(Emp(Reid,  CSD),  U) A  (ex=c)) 

V  (fT(Emp(Reid,  ex),  U) A  T).  0 


29 


Please  note  that  Version  I  of  the  Update  Algorithm  is  a  special  case  of 
Version  II. 

The  models  of  T'  represent  exactly  the  alternative  worlds  that  U  is  defined 
to  produce  from  T : 

Theorem  4-1.  For  any  extended  relational  theory  T  and  update  U  pos¬ 
sibly  containing  variables,  the  Update  Algorithm  Version  II  accomplishes  U.  0 

In  other  words,  T'  is  an  extended  relational  theory,  and  Worlds (T')  = 
U,M€Modeis(T)  Worlds(Z7(Af)).  Readers  not  interested  in  a  formal  proof  of  cor¬ 
rectness  for  the  Update  Algorithm  should  skip  to  the  next  section.  To  prove 
Theorem  4-1,  we  will  use  a  lemma  showing  that  Step  1  of  the  Update  Algorithm 
does  not  change  the  models  of  T. 

Lemma  4-1.  Let  T  be  a  theory  containing  a  completion  axiom  a  for  an 
n-ary  predicate  R,  and  let  /  be  a  ground  datom  R(ci,  ... ,  c„)  not  represented 
in  a.  Let  Eo  be  the  set  of  all  substitutions  a  such  that  for  some  datom  g  in  T, 
/  unifies  with  g  under  the  most  general  substitution  a.  Let  T  be  the  theory 
created  from  T  by  adding  the  new  disjunct  (xi=ci  A  12=^2 A  •  •  •  A  xn=cn)  to  a, 
and  then  adding  ->/  to  the  body  of  T  if  Eo  is  the  empty  set  or  adding 

/  -►  V  a 

<^€So 

otherwise.  Then  T  and  T'  have  the  same  models.  0 

Proof  of  Lemma  4-1.  Let  a'  be  a  with  the  disjunct  added  to  represent 
/,  and  let  0  be  the  wff  /  — ►  (V<r€£0  <7)-  First  consider  the  case  where  Eo  is 
nonempty. 

Let  M  be  a  model  of  T.  Let  a  be  the  Skolem  constant  substitution  for 
M.  with  respect  to  T.  M.  satisfies  all  wffs  of  T'  other  than  a!  and  /?,  since  all 
other  wffs  also  are  formulas  of  T.  But  a  —*a',  so  M  satisfies  a'.  As  for  /?,  if  /  is 
false  in  M  then  0  is  satisfied.  If  /  is  true  in  M,  then  (/)*  must  be  represented 
by  some  disjunct  of  (a)*.  Let  g  be  the  datom  represented  by  that  same  disjunct 
in  a.  Then  g  and  /  unify  under  substitution  <r,  and  therefore  0  is  satisfied  in  M. 
We  conclude  that  M  is  a  model  of  T'. 

For  the  reverse  implication,  let  M!  be  a  model  of  T'  and  let  a  be  the 
Skolem  constant  substitution  for  AU  with  respect  to  T .  M'  satisfies  all  the  wffs 
of  T  except  possibly  a.  But  if  a  is  false  in  AT,  it  must  be  because  for  some 
binding  to  the  variables  of  a,  the  disjunct  representing  /  is  true  in  AT,  i.e.,  that 
/  is  true  in  M'.  But  then  by  0  there  exists  a  datom  g  of  T  such  that  /  unifies 
with  g  under  a.  Since  g  is  represented  in  a,  M'  satisfies  a.  Therefore  Af 1  is  a 
model  of  T. 
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Now  consider  the  case  where  So  is  the  empty  set,  i.e.,  where  /  is  false  in 
all  models  of  T.  Let  Ad  be  a  model  of  T.  Then  a—*a',  and  ->/  is  true  in  Ad,  so 
Ad  is  also  a  model  of  T'. 

Conversely,  if  AT  is  a  model  of  T'  and  a  is  the  Skolem  constant  substi¬ 
tution  for  AT  with  respect  to  T',  then  AT  satisfies  all  wffs  of  T  except  possibly 
a.  But  if  a  is  false  in  Ad'  for  some  instantiation  of  the  variables  of  a,  it  must  be 
because  the  disjunct  representing  /  in  a'  is  true  in  AT.  But  we  know  that  /  is 
false  in  Ad'.  Therefore  Ad'  is  a  model  of  T.  0 


Proof  of  Theorem  4-1.  For  simplicity  of  reference,  let  T  be  the  original 
extended  relational  theory,  T\  be  the  theory  produced  by  step  1  of  the  Update 
Algorithm,  be  the  theory  produced  by  step  2,  and  so  on.  Ad  will  always  refer 
to  a  model  of  the  original  theory,  Ad  i  to  a  model  of  T\ ,  and  so  on.  We  first  show 
that  the  Update  Algorithm  produces  a  subset  of  the  correct  set  of  alternative 
worlds. 

Suppose  that  Ad4  is  a  model  of  T4.  Let  cr4  be  the  Skolem  constant  sub¬ 
stitution  for  At  4  with  respect  to  T4.  Our  goal  is  to  show  that  U  should  produce 
M4  from  some  model  At  of  T .  It  suffices  to  show  that  T\  has  such  a  model  At, 
because  by  Lemma  4-1,  the  models  of  T  and  T\  are  the  same. 

Let  T  be  the  set  containing  all  datoms  /  in  <7# .  Let  At  be  a  model  that 
has  same  universe  and  constant  and  Skolem  constant  mappings  as  A(4,  and  that 
agrees  with  At4  on  the  truth  valuations  for  all  null-free  datoms  except  possibly 
those  in  ,  that  is,  except  those  obtained  by  applying  a4  to  datoms  in  T.  If 
/  is  in  J~ ,  then  let  the  truth  valuation  of  /  in  At  be  the  same  as  that  of  H(f,  U ) 
in  M4.  To  show  that  Ad  is  actually  a  model  of  T\,  let  a  be  a  wff  of  the  body  of 
Ti .  The  descendant  of  o  in  T4  is  (ot)crB  ■  Since  A1  and  Ad4  agree  on  the  truth 
assignments  to  all  atoms  of  therefore  (o)o-jj  must  be  true  in  Ad.  This 

implies  that  a  will  be  true  in  A1  if  every  atom  f  of  p  that  is  a  subformula  of  a 
has  the  same  truth  assignment  in  At  as  does  H(f,  U )  in  At  and  At4.  But  this  is 
true  by  definition.  As  the  completion  axioms  are  the  same  in  both  theories,  we 
conclude  that  Ad  is  a  model  of  and  T . 

It  remains  to  show  that  U  applied  to  Ad  produces  the  alternative  world 
of  At4.  Let  be  the  set  of  all  av  in  E„  such  that  is  true  in  Ad.  By 

the  previous  argument,  ((<^)erv  )^h  satisfied  by  Ad4  iff  av  GS^.  By  the  formula 
of  Step  3,  it  follows  that  (w)<rw  is  true  in  Ad4  for  all  av  GE^,  so  rule  2  of  the 
definition  of  INSERT  is  satisfied  by  Ad4.  For  rule  1,  if  the  truth  valuation  of  a 
null-free  datom  /  is  different  in  Ad  and  Ad4,  then  fe{f)<r4  and  therefore  /  unifies 
with  an  atom  of  for  some  set  of  a„GEr.  If  (<£)*„  is  false  in  Ad  for  all  such 

<7„,  then  by  formula  (2),  U)  must  be  true  in  Ad4,  and  rule  1  is  satisfied. 

We  conclude  that  U  produces  the  alternative  world  of  Ad4  from  Ad. 

We  have  shown  that  the  Update  Algorithm  produces  only  correct  alter¬ 
native  worlds;  we  now  turn  to  the  question  of  completeness:  does  the  Update 
Algorithm  produce  every  alternative  world  that  should  be  derived  under  U1 
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Let  M  be  a  model  of  7",  and  let  a i  be  the  Skolem  constant  substitution 
for  Ai  with  respect  to  T  and  U.  By  Lemma  4-1,  Ai  is  also  a  model  of  T\. 

Let  E^  be  the  set  of  all  substitutions  <tv£T, v  such  that  is  true  in  M . 

Select  one  particular  set  v  of  truth  valuations  for  the  atoms  of  ((w)<T„)<ri,  for  all 
<7»€E^,  such  that  is  true  under  v  for  all  <7„€E^  and  v  is  satisfiable.  If  no 

such  v  exists,  then  U  produces  no  alternative  worlds  from  Ai,  and  the  theorem 
follows. 

Let  At 4  be  the  model  that  agrees  with  v  on  all  datom  valuations  of  v\ 
where  H(f,U)  is  assigned  the  same  valuation  as  /  had  in  Ai,  for  all  datoms  /  in 
au\  that  has  the  same  universe  and  constant  and  Skolem  constant  mappings  as 
Ai',  and  that  agrees  with  Ai  on  till  other  null-free  atom  truth  valuations.  Then 
Ad  4  is  a  model  of  an  arbitrary  alternative  world  that  should  be  produced  by  U 
from  Ai,  and  we  claim  that  M\  is  a  model  of  T4. 

Let  ov  be  a  substitution  in  E„.  First,  Ai\  satisfies  the  completion  axioms 
of  74,  as  every  datom  of  (w)ffv  already  is  a  subformula  of  Tj,  and  T4  and  Tx  have 
identical  completion  axioms.  For  atoms  /  in  (u)Cv,  since  H(f,U)  has  the  same 
truth  valuation  in  M4  as  does  /  in  Ai,  it  follows  that  M4  satisfies  (B)tTg,  that 
is,  all  the  formulas  of  the  body  of  Tx,  to  which  <?h  wa s  applied  in  Step  2.  Since 
(u>)<fv  is  true  in  M4  if  ^GE*,  the  wff  ((<£)*•„  )aH ~*(u)<rv  added  to  T4  in  Step  3 
is  satisfied  in  74.  There  is  only  one  remaining  class  of  wffs  of  74  that  Ai\  might 
not  satisfy:  formula  (2)  from  Step  4. 

Let  /  be  an  atom  in  T .  If  /  and  H (/,  U)  have  the  same  truth  valuations  in 
AA\,  then  formula  (2)  is  satisfied.  If  /  and  H(f ,  U)  have  different  truth  valuations 
in  AA4,  then  (/)«, x  must  appear  in  v,  and  therefore  also  in  )ffl  for  some 

<r„€E 0.  Therefore  (<t>)av  must  be  true  in  Ai,  and  ((4>)<rv )cB  must  be  true  in  M4. 
This  implies  that  formula  (2)  is  satisfied,  since  o\A((<$>)Cv)OB  is  true  in  Ai4.  We 
conclude  that  Ai\  is  a  model  of  74,  and  the  alternative  world  of  M.4  is  produced 
by  the  Update  Algorithm. 

It  remains  to  verify  that  7^  is  an  extended  relational  theory.  T4  has  dis- 
juncts  in  its  completion  axioms  for  exactly  the  datoms  in  its  body.  The  body  of 
T4  is  still  finite  and  contains  no  variables.  This  concludes  the  proof  of  correctness 
for  the  Update  Algorithm.  0 

The  computational  complexity  of  Version  II  of  the  Update  Algorithm  de¬ 
pends  on  the  size  of  E„.  In  particular,  if  V  is  the  number  of  members  of  E„,  then 
the  number  of  atoms  that  are  added  to  T  will  be  as  much  as  V  times  greater 
than  that  added  by  the  same  steps  in  Version  I.  Of  course  the  same  relationship 
holds  between  ordinary  relational  database  insertions  with  and  without  variables. 
The  time  complexity  of  Version  II  will  likewise  by  multiplied  by  a  factor  of  V 
worst  case:  G(V  log  R(nmk  +  m2 k2)). 

4.4.  An  Update  Algorithm:  Variables  in  Body 

This  section  presents  an  update  algorithm  for  use  with  extended  relational  the¬ 
ories  with  arbitrary  formulas  in  the  theory  body.  This  technique  is  of  particular 
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interest,  as  it  gives  a  method  of  updating  theories  for  non-database  applications. 
Having  variables  in  the  theory  body  makes  more  work  for  the  query  processor, 
but  as  we  will  see,  makes  life  much  easier  for  the  update  processor. 

First,  the  definitions  given  earlier  for  extended  relational  theories,  sub¬ 
stitution,  unification,  etc.,  need  to  be  modified  slightly.  Please  note  that  these 
definitions  are  in  effect  for  the  remainder  of  this  chapter  only;  subsequent  chapters 
will  revert  to  the  original  definitions.  The  changes  needed  are  as  follows: 

•  Substitutions:  A  variable  may  be  substituted  for  another  variable.  For 
example,  the  atomic  formulas  Emp(Reid,  x)  and  Emp(y,  z)  now  unify 
under  substitution  Reid=j/A  x—z. 

•  Variables  are  permitted  in  atoms  and  datoms.  For  example,  Emp(Reid, 
x)  and  Emp(y,  z)  axe  now  both  datoms. 

•  An  extended  relational  theory  may  now  be  any  finite  theory;  that  is,  the 
extended  relational  theory  contains  only  a  body,  which  may  be  any  finite 
set  of  wffs.  All  free  variables  in  the  theory  are  implicitly  universally  quan¬ 
tified  over  the  scope  of  the  formula  in  which  they  occur.  As  before,  only 
standard  models  will  be  considered. 

What  happened  to  the  completion  axioms?  Since  quantifiers  are  now 
permitted  in  theory  bodies,  there  is  no  reason  to  separate  out  the  completion 
axioms  from  the  rest  of  the  theory.  To  implement  a  closed-world  assumption  for 
a  predicate  R,  it  suffices  to  include  the  wff  Vxi  •  •  •  Vx„-<fl(xi , . . . ,  xn)  in  the  body 
at  the  inception  of  the  theory.  Subsequent  updates  will  maintain  the  closed-world 
assumption  automatically,  by  modifying  that  formula.  The  examples  given  after 
the  presentation  of  the  new  update  algorithm  will  illustrate  this  technique. 

Though  the  definitions  of  extended  relational  theories  and  other  technical 
terms  are  changed  slightly  for  this  section,  update  syntax  and  semantics  remain 
exactly  as  presented  in  Sections  4.1  and  4.2. 

With  these  formalities  out  of  the  way,  we  turn  to  the  main  result  of  this 
section:  a  very  simple  version  of  the  Update  Algorithm  accomplishes  updates 
containing  variables.  This  algorithm,  Version  III,  adds  only  0(k)  atoms  to  the 
size  of  the  theory,  where  k  is  the  size  of  the  update.  This  is  in  contrast  to  Version 
II,  which  depends  directly  on  the  number  of  instantiations  of  variables  in  E„ 
(given  to  Version  II  as  part  of  its  input),  and  on  the  number  of  datoms  in  the 
theory  that  unify  with  datoms  in  the  update.  Further,  this  independence  from 
£„  means  that  Version  III  works  correctly  even  for  updates  with  unsafe  selection 
clauses — e.g.,  an  infinite  number  of  relevant  instantiations  of  variables — and  also 
for  universe  elements  that  are  not  named  in  C.  Version  II,  on  the  other  hand, 
is  restricted  to  safe  selection  clauses  and  bindings  of  variables  to  constants  and 
Skolem  constants  in  C.  We  now  present  the  Update  Algorithm  Version  III. 


The  Update  Algorithm  (Version  III) 
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Input.  A  theory  T  and  an  update  U  possibly  containing  variables. 

Output.  T',  an  updated  version  of  T. 

Procedure.  A  sequence  of  three  steps: 

Step  1.  Make  history.  Let  an  be  the  substitution  that  replaces  each  atom  / 
of  T  and  U  that  unifies  with  an  atom  of  u  by  its  history  atom  H(f,  U).  Then 
replace  all  occurrences  of  /  in  T  by  H(f,  U).  In  other  words,  replace  the  body  B 
of  T  by  ( B)„h •  Call  the  resulting  theory  T' . 

Step  2.  Define  the  scope  of  the  update.  Add  the  wff  ( <f>)ca  “ 1 >u>  *°  • 

Step  3.  Restrict  the  scope  of  the  update.  Let  yi  through  y„  be  the  variables 
appearing  in  U.  For  each  n-ary  predicate  R  that  appears  in  u,  let  xi  through 
xn  be  variables  not  appearing  in  T1 ,  and  let  £«  be  the  set  containing  all  most 
general  substitutions  a  such  that  R(x\ , . . . ,  xn)  unifies  with  a  datom  of  w  under 
a.  Add  the  wff 

fR(xi,...,xn)  ++ H{R(xi,...,xn),U))  V  3yi  •••  3y„  ((<£),*  A  <x) 

'  <r„€£„ 

to  r.  o 

Example.  Let  T  contain  the  single  wff  VxVy-<  Emp(x,  y),  and  let  U 
be  the  update  INSERT  Emp(Reid,  CSD)  WHERE  Emp(Reid,  EE).  As  there  are 
no  employees  initially  in  T 1  this  update  should  not  change  any  datom  truth 
valuations.  Step  1  changes  T  to  the  wff  VxVy->  H(Emp(x,  y),  U);  Step  2  adds 
the  wff  R(Emp(Reid,  EE),  U)  -»  Emp(Reid,  CSD);  and  Step  3  adds  the  wff 
(Emp(xi,  X2)  *-*H( Emp(xi,  X2),  U))V3yi3y2  (ff(Emp(Reid,  EE),  U )  A  (yi  = 
Reid)  A  (y2  =  CSD)). 

Clearly  there  are  still  no  employees  after  the  update.  0 

Example.  Let  T  contain  the  wff  VxVy  Emp(x,  y)  — *(x=Reid)  A  y=e). 
The  models  of  this  theory  have  either  no  employees  or  just  one  employee,  Reid 
in  some  one  department.  Let  U  be  the  update  INSERT  Emp(Reid,  CSD)  WHERE 
Emp(Reid,  EE).  This  update  should  change  all  models  where  Reid  is  in  EE  so 
that  Reid  is  now  also  in  CSD.  Step  1  changes  T  to  the  wff 
VxVy-i  H(Emp(x,  y),  U)  -+(x=Reid  A  y=e). 

Step  2  adds  the  wff  R(Emp(Reid,  EE),  U)  -*•  Emp(Reid,  CSD);  and  Step  3  adds 
the  wff 

(Emp(xi,  12)  4-+R(Emp(xi,  x2),  U))V3yj3y2  (R(Emp(Reid,  EE),  U )  A  (yi  = 
Reid)  A  (y2  =  CSD)). 

Again  the  correct  models  obtain.  0 

Example.  Let  7~  contain  the  wffs  Emp(Reid,  CSD),  Emp(Lantz,  EE),  and 

Emp(x,  y)  — *•  (((x  =  Reid)  A  (y  =  CSD)) 

V  ((x  =  Lantz)  A  (y  =  EE))) . 
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Let  U  be  the  update  INSERT  Emp(y,  CSD)  WHERE  Emp(y,  EE).  After  this  update 
is  completed,  T  should  have  one  alternative  world,  in  which  Reid  is  in  CSD  and 
Lantz  is  in  CSD  and  EE.  After  the  history  substitution  step,  T'  contains  the 
three  formulas 

if(Emp(Reid,  CSD),  U), 
ff(Emp(Lantz,  EE),  U),  and 
JJ(Emp(x,  y),  U )  -► 

(((x  =  Reid)  A  (y  =  CSD))  V 
((x  =  Lantz)  A  (y  =  EE)). 

Step  2  adds  the  formula 
Jf(Emp(y,  EE),  U )  -*•  Emp(y,  CSD) 
to  T ;  and  Step  3  contributes  the  formula 
(Emp(xj,  x2)  «-»  (lf(Emp(xi,  x2),  U )) 

V  3  y(H( Emp(y,  EE),  U)  A  (n  =  y)  A  (x2  =  CSD))).  0 

Theorem  4-2.  Let  T  be  a  theory,  let  U  be  an  update  possibly  containing 
variables,  and  let  T'  be  the  theory  produced  from  T  and  U  by  the  Update 
Algorithm  Version  III.  Then  T  accomplishes  U.  Q 

Proof  of  Theorem  4-2.  We  begin  by  showing  that  the  Update  Algorithm 
Version  III  produces  a  subset  of  the  correct  set  of  alternative  worlds. 

Suppose  that  M3  is  a  model  of  T3.  Let  <73  be  the  Skolem  constant  sub¬ 
stitution  for  M3  with  respect  to  T3.  Our  goal  is  to  show  that  U  should  produce 
M3  from  some  model  M  of  T. 

Let  T  be  the  set  containing  all  datoms  /  in  ajj.  Let  M  be  a  model  with 
the  same  universe  and  constant  and  Skolem  constant  mappings  as  M3,  and  that 
agrees  with  .M3  on  the  truth  valuations  for  all  null-free  datoms  except  possibly 
those  obtained  by  binding  universe  elements  to  the  variables  in  If  /  is  in 

T,  and  6  is  a  binding  for  all  the  variables  of  /,  then  let  the  truth  valuation  of 
(f)b  in  M  be  the  same  as  that  of  (H(f,  U))b  in  M3- 

To  show  that  M  is  actually  a  model  of  T,  let  a  be  a  wff  of  T.  The 
descendant  of  o  in  T3  is  (a)<rH  •  For  any  binding  b  of  elements  of  the  universe 
to  all  the  variables  of  (a)„B ,  M  and  M3  agree  on  the  truth  assignments  to  all 
atoms  of  ((oOffu )*>>  and  therefore  (a)„E  must  be  true  in  M.  This  implies  that 
(a)i  will  be  true  in  M  if  for  every  atom  f  oi  T  that  is  a  subformula  of  a,  the 
datom  (f)b  has  the  same  truth  assignment  in  M  as  does  ( H(f,U))b  in  M  and 
M  3.  But  this  is  true  by  definition.  We  conclude  that  Ad  is  a  model  of  (T)<,8  and 
T. 

1  To  be  strictly  correct,  rather  than  talking  about  binding  universe  elements  to  variables, 
we  should  extend  £  to  a  language  in  which  all  universe  elements  are  named  by  constants,  and 
then  bind  those  constants  to  variables. 
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It  remains  to  show  that  U  applied  to  Ad  produces  the  alternative  world 
of  M-z-  Let  E<j  be  the  set  containing  all  bindings  b  for  all  the  variables  of  U  such 
that  (<j>)b  is  true  in  Ad.  By  the  previous  argument,  is  satisfied  by 

Mz  iff  b  gE^.  By  the  formula  of  Step  3,  it  follows  that  (u)b  is  true  in  M.z  for 
all  6  GS*,  so  rule  2  of  the  definition  of  INSERT  is  satisfied  by  Mz-  For  rule  1, 
if  the  truth  valuation  of  a  ground  datom  /  is  different  in  Ad  and  Mz,  then  /  is 
not  a  subformula  of  any  member  of  f2.  Therefore  for  every  binding  b  to  all  the 
variables  of  U  such  that  /  appears  in  ((oj)* )<ya ,  it  follows  that  E^,  and 
is  false  in  M.  <f>  is  false  in  M.  But  then  by  the  formula  of  Step  3,  ) 

must  be  true  in  Mz,  and  rule  1  is  satisfied.  We  conclude  that  U  produces  the 
alternative  world  of  Mz  from  M. 

We  have  shown  that  the  Update  Algorithm  produces  only  correct  alter¬ 
native  worlds;  we  now  turn  to  the  question  of  completeness:  does  the  Update 
Algorithm  produce  every  alternative  world  that  should  be  derived  under  E/? 

Let  Ad  be  a  model  of  T,  and  let  a  be  the  Skolem  constant  substitution 
for  M  with  respect  to  T  and  U .  Let  E^  be  the  set  of  all  bindings  6  for  all 
the  variables  of  U  such  that  ( 4>)b  is  true  in  M.  Select  one  particular  set  v  of 
truth  valuations  for  the  atoms  of  ((u>)b)a,  for  all  6gE$,  such  that  ((u)b)tr  is  true 
under  v  for  all  6gE^  and  v  is  satisfiable.  If  no  such  v  exists,  then  U  produces  no 
alternative  worlds  from  M,  and  the  theorem  follows. 

Let  Mz  be  the  model  that  has  the  same  universe  and  constant  and  Skolem 
constant  mappings  as  M\  that  agrees  with  v  on  all  datom  valuations  of  v\  where 
( H(f ,  U))b  is  assigned  the  same  valuation  as  (/)j  had  in  M,  for  all  datoms  /  in 
an  and  bindings  b  to  the  variables  of  /;  and  that  agrees  with  Ad  on  all  other 
null-free  atom  valuations.  Then  Mz  is  a  model  of  an  arbitrary  alternative  world 
that  should  be  produced  by  U  from  Ad,  and  we  claim  that  Ad 3  is  a  model  of  Tz ■ 

For  atoms  /  in  w,  since  H(f,U)  has  the  same  truth  valuation  in  Ad3  as 
does  /  in  Ad,  it  follows  that  Ad3  satisfies  that  is,  all  the  formulas  of  the 

body  of  T,  to  which  <th  was  applied  in  Step  1.  Let  6  be  a  binding  for  all  the 
variables  of  U.  Since  (o>)&  is  true  in  Ad3  if  66 E^,  the  wff  added  to  Tz 

in  Step  2  is  satisfied  in  T3.  There  is  only  one  remaining  class  of  wffs  of  Tz  that 
Mz  might  not  satisfy:  the  formula  from  Step  3. 

Let  /  be  an  atom,  and  let  b  be  a  binding  for  all  the  variables  of  /.  If  ((/)*  )b 
and  (( H(f,U))*)b  have  the  same  truth  valuations  in  Ad3,  then  the  formula  of 
Step  3  is  satisfied  when  ii  through  x„  are  bound  to  the  corresponding  arguments 
of  /.  If  they  have  different  truth  valuations  in  Ad  3,  then  (f)„  must  a  member  of 
{?)„,  and  ({f)o)b  must  appear  in  v,  and  therefore  also  in  ((u ;)&»)*  for  some  6'eE^,. 
This  implies  that  the  formula  of  Step  3  is  satisfied  for  /,  since  {(<p)b'  )<r  is  true  in 
M3.  We  conclude  that  Ad3  is  a  model  of  Tz,  and  the  alternative  world  of  Ad3  is 
produced  by  the  Update  Algorithm.  This  concludes  the  proof  of  correctness  for 
the  Update  Algorithm.  0 

4.5.  Summary  and  Conclusion 

In  this  section  we  have  extended  the  definitions  and  algorithms  of  Chapter  3 
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to  include  updates  containing  variables  and  extended  relational  theories  with 
arbitrary  formulas  in  their  bodies.  A  very  simple  update  algorithm,  Version  III, 
was  proven  sufficient  to  perform  these  updates  when  quantifiers  and  variables 
are  permitted  in  the  theory  bodies.  If  quantifiers  are  not  allowed,  Version  II  of 
the  Update  Algorithm  may  be  used.  The  time  complexity  and  the  length  of  the 
wffs  added  to  the  extended  relational  theory  in  Version  II  are  V  times  greater 
than  those  of  Version  I,  where  V  is  the  number  of  sets  of  substitutions  for  the 
variables  of  the  update  that  are  to  be  considered  during  update  processing.  In 
contrast,  Version  III  adds  to  the  extended  relational  theory  only  a  number  of 
atoms  that  is  linear  in  the  size  of  the  update  request,  but  makes  query  processing 
more  difficult.  Version  III  is  also  of  interest  as  a  method  of  updating  arbitrary 
logical  theories. 
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Chapter  5:  Lazy  Evaluation  of  Updates 


Delayed,  but  nothing  altered.  — Shakespeare,  Romeo  and  Juliet  j.4 


As  Chapters  1-4  have  shown,  first-order  logic  provides  an  adequate  frame¬ 
work  for  an  examination  of  updates  to  databases  containing  incomplete  informa¬ 
tion.  However,  from  a  practical  point  of  view,  updates  can  be  quite  expensive 
when  Skolem  constants  occur  in  the  extended  relational  theory.  The  cost  of  an 
update  can  be  measured  as  a  function  of  the  increase  in  the  size  of  the  theory 
that  would  result  from  execution  of  the  update,  and  by  measures  of  the  expected 
time  to  execute  the  update  and  to  answer  subsequent  queries.  Once  a  data¬ 
base  administrator  has  established  a  policy  on  when  an  update  is  too  expensive, 
the  techniques  of  this  chapter  cam  be  used  to  recognize  and  defer  or  reject  too- 
expensive  updates  and  queries.  This  involves  use  of  a  lazy  evaluation  technique 
to  delay  execution  of  expensive  updates  as  long  as  possible. 

Recall  from  Theorem  3-2  that  when  the  extended  relational  theory  T 
contains  n  atoms  containing  Skolem  constants,  a  series  of  m  updates  of  size  k 
each  may  cause  the  size  of  T  to  grow  by  0(nmk  +  m2k2).  This  potential  growth 
is  much  too  large,  yet  large  growth  (at  least  0{nm))  is  unavoidable  if  the  effect 
of  an  update  is  to  be  represented  directly  in  the  extended  relational  theory,  for 
in  the  worst  case  every  datom  of  T  that  unifies  with  a  datom  of  the  update 
must  be  changed  in  some  way  in  T.  In  some  sense  the  information  content  of 
a  single  update  is  no  more  than  its  size,  k,  and  so  growth  of  more  than  0(mk) 
after  m  updates  is  too  much.  We  can  achieve  growth  of  no  more  than  0(mk) 
by  simply  storing  the  updates  without  incorporating  them  into  T.  However, 
since  the  usual  means  of  query  answering  presupposes  some  means  of  integrating 
updates  with  the  rest  of  the  database  to  allow  satisfiability  testing,  a  means  of  at 
least  temporary  incorporation  must  be  offered.  This  chapter  puts  forth  a  scheme 
of  delayed  evaluation  and  simplification  of  expensive  updates  based  on  bounding 
the  permissible  number  of  unifications  for  the  atoms  of  an  incoming  update.  We 
begin  with  a  general  overview  and  a  series  of  examples. 

There  is  a  lot  to  be  said  about  lazy  evaluation,  and  only  part  of  this  story 
is  told  here.  As  this  chapter  began  to  loom  over  the  others  in  sheer  bulk,  the 
author  chose  to  err  on  the  side  of  informality  rather  than  overload.  Died-in-the- 
wool  theorists  will  recognize  that  numerous  additional  theorems  must  be  included 
in  any  definitive  treatment  of  lazy  evaluation;  non— theorists  will  see  a  need  for 
further  elaboration  and  refinement  of  the  cost  estimation  techniques  used  in  lazy 
evaluation. 
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5.1.  Overview  and  Motivation 

The  first  element  of  a  system  for  cost  reduction  of  too-expensive  updates  is  a 
cost  evaluation  function,  so  that  we  can  decide  which  updates  are  too  expensive 
to  execute.  If  an  incoming  update  U  is  determined  to  be  too  expensive,  we  will 
not  execute  U,  but  instead  set  U  aside  in  the  hopes  that  either  no  queries  will  be 
asked  that  require  processing  U  completely,  or  intervening  updates  will  reduce 
the  cost  of  U  sufficiently  before  it  must  be  executed. 

As  the  main  data  structure  for  this  lazy  evaluation  scheme ,  we  propose  to 
use  a  lazy  graph ,  a  directed  acyclic  graph  that  keeps  track  of  data  dependencies 
between  updates.  The  lazy  graph  helps  minimize  the  amount  of  updating  that 
must  be  performed  before  executing  an  incoming  query  Q,  and  keeps  track  of 
relevant  update  sequencing  information.  Some  examples  will  clarify  the  potential 
benefits. 

Example.  The  effect  of  the  two  updates  INSERT  Emp(Reid,  CSD)  WHERE 
T  and  INSERT  ->Emp(Reid,  CSD)  WHERE  T  is  dependent  upon  the  order  in  which 
they  axe  executed;  if  these  two  are  stored  away  for  lazy  execution,  we  must  make 
sure  that  any  eventual  processing  of  them  is  done  in  the  order  in  which  they 
were  received.  On  the  other  hand,  neither  of  these  two  conflicts  with  the  update 
INSERT  Emp(Reid,  CSL)  WHERE  T,  which  could  be  performed  before,  sifter,  or 
between  the  other  two.  0 

This  example  suggests  a  parallel  between  lazy  evaluation  sequencing  con¬ 
trol  and  concurrency  control  [Papadimitriou  86].  The  main  difference  is  that  in 
database  concurrency  control,  any  execution  equivalent  to  some  serial  execution 
is  correct,  while  sequencing  control  requires  that  the  execution  be  equivalent  to 
the  original  update  input  order. 

Example.  Suppose  the  update  U INSERT  e  =CSD  WHERE  T  is  received 
while  the  update  U :  INSERT  Emp(Reid,  e)  WHERE  T  is  still  unexecuted.  Unlike 
information  about  the  truth  valuations  of  datoms,  information  about  the  bindings 
of  Skolem  constants  is  permanent  and  once  asserted  can  never  be  refuted,  only 
refined.  (For  example,  if  the  user  follows  U'  by  the  update  INSERT  e=CSL  WHERE 
T,  then  T  will  become  inconsistent.)  This  pleasant  property  of  permanence  allows 
us  to  use  the  new  information  in  U'  about  the  value  of  e  to  simplify  not  only  T, 
but  also  the  pending  update  U:  U  can  now  be  reduced  to  INSERT  Emp(Reid, 
CSD)  WHERE  T,  which  may  well  be  affordable  enough  to  execute  directly  even  if 
INSERT  Emp(Reid,  e)  WHERE  T  is  not.  0 

Example.  Another  potentially  useful  feature  is  the  ability  to  execute  only 
part  of  an  update,  leaving  the  more  expensive  part  for  later  incorporation.  For  ex¬ 
ample,  suppose  the  update  U:  INSERT  Emp(Reid,  e)AMgr(Nilsson,  CSD)  WHERE 
T  is  too  expensive  only  because  Emp(Reid,  e)  unifies  with  too  many  datoms  of  T. 
If  a  user  later  asks  a  query  involving  only  Mgr(Nilsson,  CSD),  it  is  advantageous 
to  split  U  into  the  two  updates  U\:  INSERT  Mgr(Nilsson,  CSD)  WHERE  T  and  U2: 
INSERT  Emp(Reid,  e)  WHERE  T  and  only  execute  Ui  before  processing  the  query. 
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Ur.  INSERT  Mgr(Nilsson,  e)A  Emp(Reid,  e)  WHERE  T 


U2:  INSERT  Emp(Reid,  CSL)  WHERE  T 


Q:  INSERT  <?(Reid)  WHERE  Emp(Reid,  CSL)  A  Emp(Reid,  CSD) 
Figure  5-1.  Example  of  lazy  evaluation. 


Example.  Suppose  an  update  Ur.  INSERT  Mgr(Nilsson,  e)  A  Emp(Reid, 
e)  WHERE  T  arrives  in  the  system,  followed  by  the  update  U2:  INSERT  Emp(Reid, 
CSL)  WHERE  T.  Then  U2  and  possibly  U j  as  well  contain  new  information  about 
the  truth  valuation  of  Emp(Reid,  CSL);  both  of  these  updates  may  write  new 
information  about  Emp(Reid,  CSL)  into  T .  In  the  language  of  concurrency 
control,  there  is  a  write/write  conflict  between  Emp(Reid,  e)  in  U\  and  Emp(Reid, 
CSL)  in  U2\  the  lazy  graph  of  figure  5-1  depicts  these  relationships.  Suppose  that 
the  query  Q:  INSERT  Q(Reid)  WHERE  Emp(Reid,  CSL)  A  Emp(Reid,  CSD)  arrives 
next.  (We  have  not  formally  defined  queries  yet;  think  of  them  as  establishing 
a  new  relation  that  gives  a  view  of  the  current  database.)  A  read/write  conflict 
occurs  when  one  update  “reads”  a  datom  (i.e.,  the  datom  occurs  in  4>)  that  a  later 
update  “writes”.  There  are  read/write  conflicts  between  Emp(Reid,  CSL)  of  Q 
and  Emp(Reid,  e)  of  U\  and  Emp(Reid,  CSL)  of  U2,  and  between  Emp(Reid, 
CSD)  of  Q  and  Emp(Reid,  e)  of  Ui ,  as  depicted  in  figure  5-1. 

Assuming  that  both  Emp(Reid,  e)  and  Mgr(Nilsson,  e)  in  U\  are  too  ex¬ 
pensive  to  execute  because  they  unify  with  too  many  datoms  of  T,  the  best 
procedure  is  to  first  split  Mgr(Nilsson,  e)  out  of  Ui,  as  depicted  in  figure  5-2, 
creating  updates  C/3  and  C/4. 

Then  U4  needs  to  be  split  on  the  two  substitutions  e=CSL  and  e  =CSD, 
creating  updates  C/5,  C/«,  and  C/7,  depicted  in  figure  5-3.  At  this  point  Q  and  the 
updates  Q  depends  upon  are  more  likely  to  be  affordable.  0 

With  the  algorithm  and  data  structures  presented  in  this  chapter,  if  a 
query  is  rejected  due  to  excessive  expense,  exact  reasons  for  the  high  cost  can 
be  made  available  to  the  caller,  so  that  assertions  about  the  possible  bindings 
for  Skolem  constants  may  be  used  to  reduce  the  amount  of  uncertainty  in  the 
database  and  render  the  query  affordable.  Furthermore,  any  new  binding  infor¬ 
mation  can  be  used  to  reduce  the  size  of  the  extended  relational  theory,  in  effect 
retroactively  reducing  the  cost  of  all  earlier  updates  that  contained  those  Skolem 
constants. 
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U3:  INSERT  Mgr( Nilsson,  e)  WHERE  T 


U4:  INSERT  Emp(Reid,  e)  WHERE  T 


Q:  INSERT  Q(Reid)  WHERE  Emp(Reid,  CSL)  A  Emp(Reid,  CSD) 
Figure  5-2.  Lazy  evaluation  horizontal  split. 


These  examples  should  suffice  to  give  a  flavor  of  the  possible  advantages  of 
a  lazy  evaluation  scheme.  We  now  turn  to  the  details  of  lazy  evaluation,  beginning 
with  a  definition  of  queries.  The  lazy  graph  data  structure  is  then  presented 
formally,  followed  by  an  algorithm  for  adding  incoming  updates  and  queries  to 
the  lazy  graph.  After  a  presentation  of  the  Lazy  Algorithm,  the  remainder  of  the 
chapter  is  devoted  to  a  discussion  of  splitting  techniques.  The  chapter  concludes 
with  a  measure  of  the  benefits  afforded  by  lazy  evaluation. 

U3:  INSERT  Mgr(Nilsson,  e)  WHERE  T 


U7:  INSERT  Emp(Reid,  e)  WHERE  (e^CSL)A(e^CSD) 
U6:  INSERT  Emp(Reid,  CSD)  WHERE  e=CSD 


Q:  INSERT  Q(Reid)  WHERE  Emp(Reid,  CSL)  A  Emp(Reid,  CSD) 
Figure  5-3.  Lazy  evaluation  vertical  split. 


41 


5.2.  Queries 

We  define  a  query  as  a  temporary  materialized  view,  to  wit,  a  short-lived  rela¬ 
tion.  In  keeping  with  our  emphasis  on  mechanism  rather  them  policy,  we  do  not 
define  what  the  user  should  actually  “see”  as  output  from  a  query.  A  user  inter¬ 
face  routine  will  be  in  charge  of  optimizing  and  reformulating  the  view  relation 
produced  by  the  query  execution  mechanism  into  a  format  judged  acceptable  for 
human  or  programmatic  consumption.  In  this  thesis  only  the  process  of  creation 
of  that  view  relation  is  of  concern,  not  its  display. 

Syntactically,  queries  take  the  form  INSERT  Q  (ci, . . . ,  c„)  WHERE  <f>,  where 
<t>  is  a  wff  of  the  language  C  not  containing  history  atoms  or  variables,  Q  is  an 
n-ary  predicate  not  in  C,  and  ci  through  c„  are  constants  or  Skolem  constants  of 
C.  Note  that  Q  cannot  contain  variables.  Of  course,  in  any  database  application, 
queries  almost  always  contain  variables,  so  this  may  seem  a  peculiar  choice  of 
definition  for  Q.  The  goal  of  this  chapter,  however,  is  to  explore  the  issues 
arising  in  lazy  evaluation  and  to  present  mechanisms  for  the  basic  tasks  of  lazy 
evaluation,  much  as  the  goal  of  Chapter  3  was  to  introduce  a  semantics  for 
updates  and  to  explain  the  basic  technique  for  implementing  such  a  semantics  in 
polynomial  time.  As  was  the  case  in  Chapter  3,  the  presence  of  variables  in  the 
operations  under  consideration  would  only  obscure  the  principles  at  play.  For 
that  reason  variables  are  not  permitted  in  queries  in  this  chapter.  In  like  manner 
as  the  incorporation  of  variables  into  updates  in  Chapter  4  did  not  require  major 
departures  from  the  paradigms  laid  down  in  Chapter  3,  the  generalization  of  lazy 
evaluation  to  queries  and  updates  containing  variables  will  not  involve  radical 
changes  in  the  techniques  proposed  here. 

When  the  query  Q  arrives,  the  first  step  in  handling  Q  is  to  add  the  new 
predicate  Q  to  C  and  create  a  completion  axiom  Vii  •  •  •  Vin-iQ(ij, . . .  ,zn)  and 
add  it  to  T.  (Q  and  its  completion  axiom  can  be  flushed  from  the  system  once 
the  user  interface  routine  is  done  with  it.)  Q  is  then  added  to  the  lazy  graph 
like  any  ordinary  update  request  (Section  5.5).  In  fact,  the  only  major  difference 
between  a  query  and  an  ordinary  update  request  is  that  query  Q  must  be  either 
executed  or  rejected  right  away.  The  Lazy  Algorithm  (Section  5.6)  will  determine 
whether  to  accept  or  reject  Q. 

5.3.  Cost  Estimation 

The  first  element  of  a  system  for  lazy  evaluation  of  too-expensive  updates  is  a  cost 
estimation  function,  so  that  we  can  decide  which  updates  are  too  expensive  to 
execute.  Recall  that  one  precious  commodity  in  the  system  is  the  space  required 
for  extended  relational  theory  storage.  In  fact,  in  the  update  algorithms  discussed 
in  previous  chapters,  the  time  to  execute  an  update  was  just  a  logarithmic  factor 
higher  than  the  amount  of  additional  space  that  the  update  added  to  T.  In  lazy 
evaluation,  the  time  required  to  answer  a  query  will  be  traded  off  against  the 
amount  of  space  occupied  by  the  extended  relational  theory;  with  lazy  evaluation 
a  large  number  of  unexecuted  updates  may  require  attention  before  a  query  can 
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be  answered.  The  techniques  proposed  in  this  chapter  have  the  goal  of  minimizing 
storage  space,  necessarily  to  the  detriment  of  query  response  time.  In  other  words, 
in  this  discussion  of  lazy  evaluation,  an  expensive  update  is  one  which  adds  too 
many  atoms  to  the  extended  relational  theory.1. 

The  80/20  rule  says  that  in  an  ordinary  database,  80%  of  the  queries 
reference  at  most  20%  of  the  data;  80%  of  that  80%  (i.e.,  64%)  only  reference 
at  most  20%  of  that  20%  (i.e.,  4%);  and  so  forth.  Because  of  the  80/20  rule, 
we  have  assumed  that  executed  updates  are  permanently  incorporated  into  the 
extended  relational  theory  T.  The  alternative  is  to  integrate  the  update  with  T 
during  query  execution,  but  then  abort  the  update  at  the  end  of  query  execution 
to  save  space  in  T.  However,  the  80/20  rule  implies  that  if  an  update  requires 
execution  once,  it  will  probably  require  execution  again,  and  we  might  as  well 
save  the  recomputation  costs.  Note,  however,  that  this  is  based  on  a  particular 
tradeoff  between  computation  and  storage  costs,  and  one  might  take  a  different 
view  in  a  system  where  processing  was  expensive  and  storage  was  affordable. 

The  amount  of  space  consumed  by. an  update  U  is  proportional  to  the 
number  of  relevant  (in  a  sense  to  be  made  precise  later)  unifications  of  datoms 
in  T  with  atoms  of  U .  To  control  the  amount  of  space  consumed  by  U,  lazy 
evaluation  estimates  the  number  of  datoms  added  to  T  by  each  step  of  the  Update 
Algorithm  while  U  is  being  executed,  and  refuses  to  execute  U  if  this  estimate  is 
excessive. 

The  cost  estimate  and  cost  bound  for  an  incoming  update  or  query  are 
to  be  computed  by  functions  supplied  by  the  database  administrator.  The  cost 
functions  must  satisfy  the  following  requirements: 

1.  The  cost  estimation  function  may  overestimate  but  never  underestimate 
the  costs  (as  defined  by  the  database  administrator)  associated  with  a  set 
of  updates. 

2.  The  cost  estimate  function  and  bound  function  must  be  computable  from 
the  information  stored  in  the  lazy  graph. 

The  cost  information  provided  in  the  lazy  graph  includes  a  count  of  the 
number  of  datoms  in  T  that  unify  with  datoms  of  u ,  as  these  unifications  cause 
most  of  the  expense  incurred  when  executing  an  update.  The  cost  estimation 
function  will  presumably  rely  heavily  on  this  unification  count.  The  obvious 
algorithm  for  unification  counting  is  to  use  index  lookup  and  Skolem  constant 
instantiation  until  no  more  relevant  unifications  are  found  or  else  the  cost  of 
the  unifications  found  so  far  exceeds  the  cost  bound.  For  example,  to  count  the 
number  of  datoms  of  T  that  unify  with  Emp(Reid,  CSD),  assuming  that  the 
database  has  indices  on  both  Employees  and  Departments,  begin  by  looking  up 
Reid  and  all  Skolem  constants  in  the  Employees  index,  and  look  up  CSD  and  all 
Skolem  constants  in  the  Departments  index.  Then  do  a  set  intersection  on  the 

t  If  query  response  time  is  a  problem,  then  over-zealous  lazy  evaluation  algorithms  may 
be  curbed  by  introducing  constraints  on  the  lazy  graph  (e.g.,  restrictions  on  height,  flexible 
update  cost  limits,  etc.). 
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two  sets  of  tuple  pointers  thus  generated,  and  count  the  number  of  pointers  in 
the  intersection. 

Queries  also  have  associated  storage  costs,  for  their  temporary  view  rela¬ 
tions.  The  bound  function  might  well  choose  to  allot  much  more  space  to  queries 
than  to  updates,  since  that  space  will  only  be  used  temporarily. 

Unification  counting  and  cost  estimation  should  be  performed  with  a  bit 
of  optimization,  and  that  is  where  the  phrase  “relevant  occurrences”  comes  into 
play.  The  algorithms  below  use  a  test  for  satisfiability  of  bounded-length  for¬ 
mulas  to  determine  relevance.  Other  optimizations  are  also  possible:  an  efficient 
implementation  of  the  cost  estimation  procedure  given  below  might  do  a  much 
more  thorough  job  of  detecting  spurious  unifications.  For  example,  any  obviously 
“impossible”  substitutions  can  be  discounted:  though  Emp(Reid,  CSD)  unifies 
with  Emp(e,  CSD),  there  is  no  need  to  count  that  unification  if  the  wff  where 
Emp(e,  CSD)  occurs  in  T  is  Emp(e,  CSD)Ae=Nilsson;  that  unification  is  not 
relevant,  because  the  two  wffs  are  not  simultaneously  satisfiable.  Such  optimiza¬ 
tions  will  be  part  of  the  heuristic  component  of  an  implementation  of  the  Update 
Algorithm,  and  will  be  important  also  for  any  user  interface  routine  for  query 
answering.  The  choice  of  optimizations  beyond  that  required  by  algorithms  given 
here  is  left  to  the  implementor. 

5.4.  The  Lazy  Graph 

The  lazy  graph  is  the  data  structure  needed  for  lazy  evaluation.  In  the  lazy  graph, 
nodes  represent  the  atoms  of  updates.  Update  hyperedges  group  atoms  into 
updates.  Family  hyperedges  associate  updates  that  are  descended  via  splitting 
from  the  same  original  update.  In  addition,  there  is  a  directed  arc  between  two 
nodes  if  the  atom  labels  of  the  two  nodes  unify  and  cause  one  update  to  become 
dependent  upon  the  results  of  the  other.  More  formally,  the  lazy  graph  contains 
the  following  information: 

1.  A  set  of  nodes.  Each  node  is  labelled  with  a  datom  or  history  atom, 
and  cost  information. 

2.  A  set  of  update  hyperedges.  Each  node  is  on  one  update  hyperedge. 
Each  update  hyperedge  is  labelled  with  an  update  or  query,  such  as  U:  INSERT 
Emp(e,  CSD)  WHERE  T,  and  flagged  as  being  either  unexecuted  (hereafter  called 
pending )  or  executed. 

3.  A  set  of  family  hyperedges.  Each  node  and  update  hyperedge  is  con¬ 
tained  in  one  family  hyperedge.  Each  family  hyperedge  is  labelled  with  an  update 
or  query,  such  as  U :  INSERT  Emp(e,  CSD)  A  Mgr(Nilsson,  CSD)  WHERE  T,  and 
flagged  as  being  either  an  update  or  query.  In  addition,  each  family  hyperedge 
has  an  associated  cost  bound. 

4.  A  set  of  directed  labelled  arcs  between  nodes.  Each  arc  is  labelled  with 
a  substitution.  These  arcs  represent  dependencies  between  updates. 

5.  A  set  of  directed  unlabeled  arcs  between  nodes.  These  arcs  represent 
implied  dependencies,  such  as  that  between  u;  of  an  update  and  <f>  of  the  same 
update. 
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We  have  chosen  not  to  store  cost  estimate  information  for  equality  atoms, 
and  hence  they  are  not  included  in  the  lazy  graph.  This  choice  was  made  because 
equality  atoms  will  be  instrumental  in  reducing  the  size  of  the  extended  relational 
theory  by  eliminating  Skolem  constants,  and  we  therefore  felt  that  an  actual  and 
estimated  cost  of  zero  was  most  appropriate  for  any  optimized  implementation 
of  the  Update  Algorithm. 

The  main  expense  in  an  update  is  typically  due  to  datoms  in  u>.  For  exam¬ 
ple,  if  Ui  is  the  update  INSERT  Emp(Reid,  CSD)  V  Emp(Reid,  CSL)  WHERE  T, 
and  U2  is  the  update  INSERT  e=CSD  V  e=CSL  WHERE  T,  then  these  two  updates 
have  the  same  size.  Yet  a  count  of  the  wffs  added  by  the  Update  Algorithm  shows 
that  U\  will  cost  at  least  5  times  as  much  as  U2  under  the  Update  Algorithm — 
and  that  minimum  is  attained  if  no  datom  of  u>  of  U\  is  an  implicit  subformula 
of  T ■  Therefore  it  seems  reasonable  for  non-data  atoms  (i.e.,  atoms  that  are  not 
datoms)  to  be  assigned  much  lower  cost  estimates  than  other  types  of  atoms  in  w. 
For  datoms  g  that  occur  only  in  again  a  lower  estimate  would  be  appropriate. 
Except  for  Step  1  of  the  Update  Algorithm,  g  will  take  up  no  more  space  than  a 
non-data  atom,  so  only  if  Step  1  is  required  for  g  will  g  be  more  expensive  than 
a  non-data  atom. 

We  distinguish  between  update  and  query  execution,  or  the  incorporation 
of  an  update  or  query  into  the  extended  relational  theory;  update  and  query 
processing,  or  the  act  of  reforming  the  lazy  graph  to  make  a  particular  update 
or  query  executable;  and  update  and  query  addition,  or  the  act  of  adding  a  new 
update  or  query  to  the  lazy  graph.  These  three  phases  are  the  topics  of  the  next 
three  sections. 

5.5.  The  NAP  Algorithm:  Addition  of  Incoming  Updates  and  Queries 
to  the  Lazy  Graph 

The  NAP  algorithm  will  be  used  in  two  scenarios:  When  an  update  or  query  U 
arrives  in  the  system,  the  NAP  algorithm  adds  U  to  the  lazy  graph  as  the  first 
member  of  a  new  update  family.  If  U  needs  to  be  incorporated  into  the  extended 
relational  theory,  we  then  process  and  execute  U.  In  addition,  when  an  update  is 
split  into  two  subupdates,  the  NAP  algorithm  is  called  to  add  those  subupdates 
to  the  lazy  graph.  In  this  case,  the  split-off  updates  are  members  of  the  same 
update  family  as  the  original  update. 

The  NAP  algorithm  talks  about  updates  containing  history  atoms.  History 
atoms  in  updates!  Is  nothing  sacred?  Fear  not,  users  still  cannot  mention  history 
atoms  in  updates;  history  atoms  are  only  present  for  technical  reasons:  they  creep 
in  when  an  update  is  split.  For  now,  ignore  any  mysterious  terminology,  and  all 
will  be  revealed  in  Section  5.7. 

A  helpful  example  of  the  operation  of  the  NAP  algorithm  appears  in  Figure 

5-4. 


The  NAP  (Node  Addition  Procedure)  Algorithm. 
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Input:  A  lazy  graph  G  and  a  request  U,  flagged  as  an  update  or  query;  and  the 
preexisting  update  family  to  which  U  belongs,  if  any. 

Output:  A  new  lazy  graph  G1  containing  U. 

Procedure:  A  sequence  of  three  steps: 

Step  1.  Add  nodes  and  hyperedges.  For  each  non-equality  atom  g  of  U,  add 
a  node  labelled  g  to  G.  Add  a  new  update  hyperedge  to  G  containing  exactly  the 
new  nodes,  and  label  that  hyperedge  with  U.  If  U  defines  a  new  history  atom, 
also  add  a  node  labelled  with  that  atom  to  the  hyperedge.  Mark  the  update 
hyperedge  as  pending.  If  U  is  to  be  part  of  a  preexisting  update  family,  then 
add  its  nodes  to  the  hyperedge  for  that  family;  otherwise  (1)  create  a  new  family 
hyperedge,  labeled  with  U,  (2)  mark  the  family  hyperedge  as  a  query  or  update, 
as  appropriate,  and  (3)  compute  the  family  hyperedge  cost  bound.  Call  the  new 
graph  G' . 

Step  2.  Add  relevant  arcs.  Intra-update  arcs.  Let  n  and  n'  be  two  different 
nodes  on  the  update  hyperedge  for  U.  If  n  is  in  u>  of  U  and  n'  is  in  <f>  of  U,  then 
add  an  unlabeled  arc  from  n  to  n'.  These  arcs  represent  the  fact  that  the  truth 
valuations  for  the  atoms  in  u>  after  U  is  executed  will  depend  upon  the  truth 
valuations  for  the  atoms  of  4>  at  the  time  U  is  executed. 

History  atom  definition  arcs.  If  a  history  atom  h  of  U  also  is  the  label  of 
a  node  of  a  pending  update  U',  then  add  an  unlabeled  arc  from  h  in  U'  to  the 
node  h  of  U.  This  ensures  that  history  atoms  are  defined  before  they  are  used. 

Inter-update  arcs.  If  any  update  hyperedges  other  than  U  are  pending, 
then  the  effect  of  executing  U  may  depend  upon  the  results  of  those  other  updates. 
Let  U'  be  a  pending  update  hyperedge  of  G'  other  than  U.  Let  /  be  the  label 
of  a  node  on  the  update  hyperedge  U',  and  g  the  label  of  a  node  on  the  update 
hyperedge  U.  Place  a  directed  axe  labelled  cr  from  node  /  to  node  g  if 

(1)  /  unifies  with  g  under  the  most  general  substitution  <r;  and 

(2)  <rA<t>u  and  oA<f>u>  are  both  satisfiable;  and 

(3)  if  <t>u  logically  entails  a  wff  a  containing  only  equality  atoms,  then  <f>u>  Aa 
is  satisfiable;  and  either 

(4a)  ( write/ read  conflict)  /  is  a  subformula  of  u  of  U'  and  g  is  a  subformula  of 
4>  of  U ;  or 

(4b)  (read/write  conflict)  /  is  a  subformula  of  4>  of  U'  and  g  is  a  subformula  of 
u;  of  17;  or 

(4c)  (write/write  conflict)  /  is  a  subformula  of  u>  of  U'  and  g  is  a  subformula 
of  u  of  U. 

Explanations  and  examples  of  these  tests  appear  after  the  algorithm. 
Step  3.  Record  cost  information.  As  input  to  the  cost  estimation  function, 
cost  information  must  be  recorded  for  each  node  of  U  that  is  labelled  with  a 
datom  g.  Record  whether  g  is  a  subformula  of  T  or  is  the  label  of  any  ancestor 
of  g  in  the  lazy  graph.  (In  the  latter  case,  g  would  appear  in  T  by  the  time  U 
is  executed.)  Also  record  the  number  of  different  datoms  occurring  in  T  or  on 
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labels  of  ancestors  of  g  that  unify  with  g ,  up  to  a  preset  limit  /.  If  the  limit  1 
is  reached,  then  also  record  the  fact  that  the  unification  count  terminated  early 
due  to  cost  overrun.  0 

The  unification  count  limit  /  is  used  to  ensure  that  estimating  the  cost  of 
an  overly— expensive  update  does  not  take  as  much  time  as  it  would  to  execute  it. 
The  correct  value  for  the  limit  l  depends  on  the  cost  bound  for  that  particular 
update  family,  and  should  be  set  so  that  the  unification  count  for  any  affordable 
update  will  not  exceed  l. 

In  Step  2  of  the  NAP  Algorithm,  tests  (1),  (2),  and  (3)  ensure  that  the 
conflict  is  relevant.  If  test  (1)  is  failed,  then  there  can  be  no  conflict  between  U 
and  U'  on  the  basis  of  /  and  g,  because  those  two  atoms  do  not  even  unify.  For 
example,  Emp(Reid,  CSD)  and  Mgr(Nilsson,  CSD)  cannot  cause  a  conflict. 

Test  (2)  of  Step  2  ensures  that  the  unification  under  which  the  conflict 
occurs  can  actually  materialize  in  some  model.  For  example,  let  U  be  INSERT 
Emp(Reid,  e)  WHERE  Mgr(Nilsson,  e)  A((e  =  EE)  V  (e  =  CSL)),  and  let  U'  be 
INSERT  Emp(Reid,  CSD)  WHERE  T.  Then  a  is  e  =  CSD,  and  U  and  U'  can  only 
conflict  in  models  where  e  is  CSD.  But  in  any  model  where  e  is  CSD,  the  selection 
clause  <f>  of  U  must  be  false.  Therefore  U  and  U'  cannot  conflict. 

Test  (3)  ensures  that  U'  and  U  can  take  place  in  “overlapping”  sets  of 
alternative  worlds.  Test  (3)  is  a  useful  heuristic  for  reducing  the  number  of  arcs  in 
the  lazy  graph  without  incurring  much  additional  expense.  For  example,  suppose 
Ui  is  INSERT  Emp(Reid,  CSD)  WHERE  e  =  CSD  and  Ui  is  INSERT  Emp(Reid, 
CSD)  WHERE  e  =  EE.  Without  test  (3),  a  write/ write  conflict  would  be  recorded 
between  these  two  updates,  even  though  in  fact  the  updates  must  take  place  in 
disjoint  sets  of  alternative  worlds.  Including  this  unnecessary  write/write  arc  in 
the  lazy  graph  would  force  extra  serialization. 

Example.  Suppose  the  lazy  graph  contains  the  pending  update  U\\  IN¬ 
SERT  Emp(Reid,  «i  )V  Mgr  (Nilsson,  e 2)  WHERE  T,  and  the  update  U2'  INSERT 
Q(CSD)  WHERE  Emp(Reid,  CSD)  arrives.  Figure  5-4  shows  the  new  lazy  graph 
minus  cost  information.  <0> 

All  Skolem  constants  and  history  atoms  occurring  in  a  pending  update  U 
are  pinned  in  T  until  U  has  completed  execution.  This  means  that  database  op¬ 
timization  routines  cannot  remove  those  Skolem  constants  and  formulas  from  the 
database,  even  if  they  axe  no  longer  logically  necessary.  For  example,  if  the  data¬ 
base  system  discovers  that  c=Reid,  at  least  the  single  wff  “e=Reid”  must  remain 
in  T  until  all  pending  updates  containing  e  have  been  executed.  (Alternatively, 
one  might  prefer  to  substitute  the  newly  discovered  values  into  the  pending  up¬ 
dates  that  reference  them;  for  simplicity  we  do  not  consider  this  method.)  If 
these  atoms  were  not  pinned,  then  errors  might  occur  in  execution.  For  exam¬ 
ple,  suppose  a  user  requests  the  update  U\ :  INSERT  Emp(Reid,  e)  WHERE  T  as 
soon  as  it  becomes  known  that  Reid  is  definitely  a  member  of  some  department. 
Suppose  that  U\  is  too  expensive  to  execute,  and  that  U\  is  still  pending  two 
weeks  later  when  the  user  discovers  that  Reid  is  in  CSD,  that  is,  that  e  =  CSD. 
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Uii  INSERT  Emp(Reid,  d  )VMgr( Nilsson,  e2)  WHERE  T 


Update  hyperedge  = 
Family  hyperedge  = 


Figure  5-4.  Lazy  graph  example. 


This  new  update  INSERT  e  =  CSD  WHERE  T  is  probably  affordable,  so  assume 
that  it  is  executed  immediately.  If  all  mention  of  e  is  subsequently  removed  from 
the  theory,  and  then  Ux  is  finally  executed,  Ux  will  not  add  the  fact  that  Reid 
is  m  CSD;  rather,  U2  will  erroneously  declare  that  Reid  is  in  some  unknown  and 
unrestricted  department.  For  this  reason,  history  atoms  and  atoms  containing 
Skolem  constants  must  be  pinned. 

It  is  important  to  show  that  the  lazy  graph  does  capture  exactly  the  infor¬ 
mation  needed  to  process  all  incoming  updates  correctly  with  the  Update  Algo¬ 
rithm.  The  arcs  and  hyperedges  of  the  lazy  graph  induce  a  directed  acyclic  graph 
whose  “nodes”  are  update  hyperedges,  and  in  which  an  arc  goes  from  update  U 
to  U'  if  there  is  an  arc  in  the  lazy  graph  between  a  node  of  U  and  a  node  of  U'. 
As  is  true  of  the  entire  lazy  graph,  this  induced  update  graph  contains  no  cycles, 
because  when  an  update  U  is  added  to  the  lazy  graph  using  the  NAP  algorithm, 
all  new  arcs  go  to  nodes  of  U  from  nodes  of  preexisting  updates.  Therefore  the 
lazy  graph  induces  a  partial  order  on  updates,  and  one  can  use  this  ordering  to 
sort  the  updates  topologically.  Recall  that  a  topological  sort  of  a  directed  acyclic 
graph  is  constructed  by  repeatedly  selecting  a  root  in  the  graph  and  deleting  it 
and  its  incident  arcs  from  the  graph.  If  U\  —  Un  is  a  topological  sort,  then  call 
the  sequence  U n  •  •  •  U\  a  reverse  topological  sort. 


Theorem  5-1.  Let  U\  •  ■  •  Un  be  a  sequence  of  updates  and  queries,  and  let 
T  be  an  extended  relational  theory.  Let  G  be  the  lazy  graph  created  by  sequen¬ 
tially  inserting  Ui  through  Un  into  an  initially  empty  lazy  graph.  Let  Toposort  be 
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any  reverse  topological  sort  of  all  the  updates  in  G.  Then  Worlds  (Toposort  (7~)) 
=  Worlds(£7„(-  •  -(U\(T))-  •  •)).  0 

The  proof  of  Theorem  5-1  uses  a  bit  of  new  terminology: 

Definition.  Let  n  and  n'  be  nodes  in  a  lazy  graph.  Then  n  is  an  ancestor 
of  n'  if  there  is  a  path  from  n  to  n'  in  the  lazy  graph.  If  U  and  U'  axe  update 
hyper  edges,  then  U  is  an  ancestor  of  U'  if  there  is  a  path  from  a  node  of  U  to  a 
node  of  U'  in  the  lazy  graph.  0 

Proof  of  Theorem  5-1.  First,  the  sequence  Si  =  Un  •••  Ui  is  a  re¬ 
verse  topological  sort  of  the  lazy  graph,  because  when  an  update  or  query  U  is 
inserted  into  the  lazy  graph  with  the  NAP  Algorithm,  no  new  ancestors  are 
created  for  any  node  except  U.  Let  Toposort  be  a  reverse  topological  sort 
other  than  Si.  There  must  be  a  rightmost  position  on  which  the  two  sorts 
differ;  counting  from  the  right,  say  that  Si  and  Toposort  agree  on  positions  1 
through  *  —  1,  but  differ  in  the  tth  position,  where  Si  has  Ui  and  Toposort 
has  Uj.  Let  S2  be  the  sort  Un  ■■■  Uj+iUj-i  •  •  •  UiUjUi-i  -  Ui.  Since  Toposort 
is  a  reverse  topological  sort,  Uj  must  not  have  any  ancestors  in  the  sequence 
Uj-x  •  •  •  Ui.  In  particular,  Uj- 1  must  not  be  an  ancestor  of  Uj.  Applying 
Lemma  5-1,  Worlds(£/„  •  •  •  Uj+1Uj-iUjUj-2  •  •  •  UX(T))  =  Worlds(tf„  •  •  •  Ui(T)). 
By  induction,  Worlds(S2(T))  =  Worlds(Si(T)).  By  induction,  it  follows  that 
Worlds(Toposort(T))  =  Worlds(Si(T)).  0 

Lemma  5-1.  Let  T  be  an  extended  relational  theory,  and  let  U\  and  U2 
be  updates  or  queries: 

Un  INSERT  a>i  WHERE  <j>i, 

U2:  INSERT  ui2  WHERE  <f>2, 

such  that  if  first  U\  and  then  U2  are  inserted  into  a  lazy  graph  G  using  the 
NAP  Algorithm,  Ui  is  not  an  ancestor  of  U2.  Then  Worlds( ( U\ (T)))  = 
Worlds(Ifi(Efa(T))).  0 

Proof  of  Lemma  5-1.  Let  M.  be  a  model  of  T  having  Skolem  constant 
substitution  <r  with  respect  to  T,  Z7i ,  and  U2.  Let  M 1  be  a  model  of  U\(T) 
such  that  World(Afi)  G  Worlds(I7i(T));  and  let  M2  be  a  model  of  U2(T)  such 
that  World (Af  2)  €  Wor\ds(U2(T)).  Suppose  that  4>\  is  not  satisfied  in  M.  Then 
World(Af)  =  World(Af  1),  and  Worlds(Cf2(Adi))  =  'Wov\ds{U2(M)).  Suppose 
U2  is  first  applied  to  At,  producing  a  model  M\  of  World(A(2)>  and  then  U\ 
is  apphed  to  M.\.  If  U\  does  not  change  the  alternative  world  of  ,  then 
World(Af 2)  =  World(Af2)-  If  U\  does  change  M[,  then  though  <j>\  was  false  in 
M,  <f>  1  is  true  in  M.\.  Therefore  there  must  be  datoms  f  in  4>i  and  g  in  u>2  such 
that  /  unifies  with  g  under  o.  We  claim  that  there  is  a  read/write  arc  in  the 
lazy  graph  between  /  and  g,  which  violates  the  claim  that  Ui  is  not  an  ancestor 
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of  lf2.  To  see  this,  note  that  /  and  g  pass  test  (1)  of  Step  2,  as  /  and  g  unify 
under  a.  For  test  (2),  oAd>i  is  true  in  M.\,  and  oAfa  was  true  in  M,  so  both 
wffs  are  satisfiable.  For  test  (3),  suppose  4>2  logically  entails  a,  where  a  consists 
of  equality  atoms.  Then  a  is  true  in  M,  and  therefore  also  in  M[.  As  4>\  is  true 
in  M.\,  a  must  be  consistent  with  <f>\.  We  conclude  that  if  <f> \  is  not  true  in  M, 
then  Worlds(I7i(Af ))  =  Worlds(l^2(Af )).  The  proof  is  symmetric  if  is  false  in 
Af,  or  if  <t> 2  is  false  in  Adi,  or  if  4>\  is  false  in  M.\.  We  conclude  that  in  all  these 
cases,  the  lemma  holds. 

Now  suppose  that  4>\  is  true  in  Af,  and  <f>2  is  true  in  Adi.  Let  Af*  be 
a  model  that  agrees  with  Ad  in  all  respects  except  for  the  truth  valuations  of 
the  atoms  of  (u^)*,  which  are  the  same  in  M[  as  in  Af2.  Then  World(Ad,1) 
€  Worids(£/2(Af)).  Now  apply  Ui  to  M\.  If  and  (u>2)<r  are  over  disjoint 

sets  of  datoms,  then  World(Ad2)  6  Otherwise,  we  claim  that  there  is 

a  write/write  conflict  between  JJ\  and  U2,  a  contradiction.  To  see  this,  let  / 
be  a  datom  of  u>i  and  g  a  datom  of  w2  such  that  /  and  g  unify  under  a.  Step 
2  of  the  NAP  algorithm  contains  three  tests  for  /  and  g:  (1)  /  and  g  must 
unify,  which  they  do  by  definition;  (2)  oA<f>i  and  aAfa  are  both  satisfied,  by 
assumption;  and  as  and  <t>2  are  both  true  in  Ad,  test  (3)  is  also  satisfied.  The 
symmetric  proof  holds  if  first  U2  and  then  U\  is  applied  to  Ad.  We  conclude  that 
Worlds(C/2([/i(Ad)))  =  Worlds  (E7i(tf2(Af))).  0 

5.6.  The  Lazy  Algorithm 

When  can  a  pending  update  U  be  executed?  The  cardinal  rule  is  that  U  may  be 
executed  now  if  U  is  affordable  and  all  its  ancestors  in  the  lazy  graph  have  been 
executed.  This  determination  is  made  by  examining  each  update  family  in  the 
lazy  graph  G.  For  U  to  be  affordable,  within  each  update  family  of  G,  the  costs 
of  the  ancestors  of  U  plus  the  costs  of  previously  executed  members  of  the  family 
cannot  exceed  the  cost  limit  for  the  family. 

For  example,  let  U  be  the  incoming  update  INSERT  Emp(Reid,  CSD) 
WHERE  T.  Suppose  the  relevant  portion  of  the  lazy  graph  is  as  in  figure  5-5. 
Summing  estimated  costs  (actual  costs  may  be  used  for  U\  if  available),  it  ap¬ 
pears  that  no  splits  will  be  needed  in  this  lazy  graph  if  the  cost  limit  /  is  at  least 
10.  If  the  cost  limit  is  less  than  10,  a  split  of  U2  is  the  most  appropriate  course 
of  action. 

As  another  example,  the  update  INSERT  e  =  CSD  WHERE  T  must  be  a  root 
in  the  lazy  graph,  since  it  contains  no  datoms  or  history  atoms;  if  its  estimated 
cost  is  zero,  then  it  may  be  executed  at  any  time. 

The  test  for  affordability  may  be  described  more  formally  as  follows. 

Definitions.  Let  5  be  a  set  of  updates  and/or  queries  in  a  lazy  graph. 
For  each  family  T  with  an  update  or  query  in  5,  let  S(iF)  be  the  set  of  all  updates 
or  queries  in  family  T  that  are  in  S  or  have  already  been  executed.  Then  S  is 
affordable  if  for  each  family  T  with  an  update  or  query  in  5, 
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CostLimit(^)  >  EstCost(lf), 

t/€5(^) 

i.e.,  if  the  amount  spent  on  executed  updates  and  queries  of  T  plus  the  amount 
estimated  for  updates  and  queries  of  T  that  are  in  S  is  no  more  than  the  cost 
limit  for  T.  If  5  is  not  affordable,  then  S  is  expensive.  0 

The  Lazy  Algorithm  non-deterministically  processes  a  query  or  update  U 
of  the  lazy  graph,  working  U  into  an  executable  position  by  splitting  its  ancestors 
to  reduce  their  costs. 

The  Lazy  Algorithm. 

Input.  A  lazy  graph  G  with  one  particular  node,  U,  that  is  to  be  processed. 
Initially  all  nodes  of  G  are  marked  as  being  unexa mined. 

Output.  An  equivalent  version  of  G  and  either  an  ACCEPT  or  REJECT  verdict. 
If  the  verdict  is  ACCEPT,  then  all  ancestors  of  U  in  G  are  now  affordable.  If  the 
verdict  is  REJECT,  then  the  cause  of  the  rejection  is  also  returned. 

Procedure.  A  sequence  of  three  steps: 
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Step  1.  Accept  U.  If  the  set  of  all  ancestors  of  U  in  G  is  affordable,  then 
terminate  with  an  ACCEPT  verdict. 

Step  2.  Reject  U.  If  the  examined  ancestors  of  U  axe  expensive,  send  the  user 
a  REJECT  verdict  along  with  information  on  the  reason  for  the  rejection.  This 
information  may  include  the  family  and  update  hyperedge  labels  and  all  family 
cost  information  for  every  update  and  query  on  any  path  from  the  expensive 
ancestor  to  U.  Then  restore  the  lazy  graph  to  its  original  state  and  terminate 
execution. 

Step  3.  Split  ancestors.  Choose  a  nearest1,  pending  unexamined  ancestor  U' 
of  U.  Guess  a  sequence  of  splits  for  17',  and  perform  them  using  the  Splitting 
Algorithm.  Mark  U'  as  examined,  if  it  still  exists;  otherwise  mark  the  updates 
split  off  from  U'  as  examined.  Go  back  to  Step  1.  0 

If  the  Lazy  Algorithm  accepts  node  U,  then  to  execute  U,  choose  an 
affordable  pending  ancestor  update  U'  whose  nodes  are  all  roots  in  the  lazy 
graph  G.  Execute  U',  afterwards  marking  that  hyperedge  as  executed.  Repeat 
until  U  itself  has  been  executed  and  so  marked.  If  every  update  hyperedge  in 
a  family  hyperedge  has  been  executed,  then  all  nodes,  hyperedges,  and  incident 
arcs  of  that  family  can  be  removed  from  G. 

In  the  case  of  a  REJECT  verdict,  the  Lazy  Algorithm  may  return  a  great 
deal  of  information  to  the  user.  This  is  because  there  are  many  possible  ways 
to  make  an  update  cheaper,  including  retroactively  reducing  the  cost  of  previ¬ 
ously  executed  members  of  an  update  family.  To  make  the  best  choice  for  cost 
reduction,  the  user  may  need  all  that  information. 

For  the  Lazy  Algorithm  to  work  according  to  expectations,  it  must  satisfy 
a  number  of  requirements.  First,  if  the  Lazy  Algorithm  accepts  an  update  or 
query  U,  then  no  family  cost  bounds  may  be  exceeded  during  execution  of  the 
ancestors  of  U.  Fortunately,  this  follows  immediately  from  Step  1  and  the  fact 
that  the  cost  estimate  function  is  guaranteed  not  to  underestimate  costs  as  defined 
by  the  database  administrator. 

Second,  we  must  show  that  the  splits  performed  in  Step  3  of  the  Lazy 
Algorithm  map  one  correct  lazy  graph  into  smother  “equivalent”  graph.  The 
following  section  presents  a  large  repertoire  of  splitting  techniques  and  proves 
that  they  meet  this  requirement. 

Finally,  Theorem  5-1  guarantees  that  the  extended  relational  theory  will 
reach  a  correct  final  state  as  long  as  the  updates  in  the  lazy  graph  are  executed  in 
topographical  sort  order.  However,  we  need  a  characterization  of  the  intermediate 
state  of  the  extended  relational  theory,  in  particular,  of  the  state  of  the  extended 
relational  theory  when  an  update  or  query  U  and  all  its  ancestors  have  just  been 
executed;  for  that  is  the  state  that  the  user  glimpses.  Intuitively,  for  U  a  leaf  of 

t  A.  nearest  ancestor  of  U  with  property  P,  if  one  exists,  is  an  ancestor  U'  of  U  with 
property  P  such  that  no  other  ancestor  of  U  with  property  P  has  a  shorter  path  to  U  than  U' 
does. 
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the  lazy  graph,  at  an  intermediate  stage  the  alternative  worlds  of  the  extended 
relational  theory  are  correct  when  projected  onto  just  the  atoms  in  the  update 
or  query  U. 

To  explore  this  last  point  more  formally,  new  terminology  is  in  order.  We 
distinguish  the  case  where  u  contains  the  equality  predicate  or  is  unsatisfiable  (an 
assertion).  Assertions  are  different  from  other  updates  in  that  they  may  elimi¬ 
nate  some  alternative  worlds  of  a  theory  to  which  they  are  applied.  Updates  that 
are  not  assertions,  on  the  other  hand,  cannot  eliminate  any  alternative  worlds  of 
a  theory:  for  if  lo  is  satisfiable  and  does  not  contain  the  equality  predicate,  an 
insertion  always  produces  some  model  from  any  model  to  which  it  is  applied.  If  u> 
is  satisfiable  but  contains  the  equality  predicate,  then  the  update  may  eliminate 
some  models  by  invalidating  their  Skolem  constant  mappings.  For  example,  “e  = 
CSD”  will  eliminate  all  models  where  e  is  not  mapped  to  CSD.  The  distinction 
between  these  types  of  updates  is  important  because  most  users  will  want  execu¬ 
tion  of  any  query  to  force  execution  of  all*  pending  assertions,  because  assertions 
may  affect  the  answer  to  the  query  by  eliminating  the  alternative  worlds  where 
some  potential  answers  to  the  query  are  true. 

Definition.  Let  5  be  a  set  of  datoms.  Let  T  be  an  extended  relational 
theory,  and  let  M  be  a  model  of  T  with  Skolem  constant  substitution  o  with 
respect  to  S.  Then  World(Af)  restricted  to  S  (written  World(Af)jS)  is  the  wff 
form**  of  the  truth  valuations  in  M  of  atoms  in  (S)a.  Further, 

Worlds(T)|S  =  (J  (World(JW)|S).  0 

Models(T) 

Theorem  5-2.  Suppose  the  updates  and  queries  of  a  lazy  graph  G  formed 
by  the  NAP  algorithm  have  topological  sort  U\-  •  •  UnQ.  Let  5  be  the  set  con¬ 
taining  all  datoms  of  Q ,  and  let  T  be  an  extended  relational  theory.  If  Toposort 
is  a  reverse  topological  sort  of  the  ancestors  of  Q,  then  Worlds(Toposort(T))|5 
C  Worlds  (£?(£/„(•  •  -Ui(T)-  •  -)))|S.  Further,  if  Toposort+ Assertions  is  a  reverse 
topological  sort  of  Q  and  the  assertions  in  G ,  and  all  their  ancestors,  then 
Worlds(Q(I7n(- •  •Ui(T)- • ’)))|5  =  Worlds(Toposort+Assertions(T))|S.  <0> 

Proof  of  Theorem  5-2.  Choose  a  particular  topological  sort  Fullto- 
posort  of  all  the  updates  and  queries  of  G.  Let  Toposort+ Assertions  be  derived 
from  Fulltoposort  by  deleting  all  updates  and  queries  of  Fulltoposort  that  are 
not  assertions  or  ancestors  of  Q.  Let  Toposort  be  derived  from  Toposort -{-Asser¬ 
tions  by  deleting  all  updates  and  queries  that  are  not  ancestors  of  Q.  Then  by 
Theorem  5-1,  Worlds(Fulltoposort(T))  =  Worlds ( Q(Un(-  •  -Ui (T)-  •  •))).  It  there¬ 
fore  suffices  to  show  that  Worlds(Fulltoposort(T))|5  =  Worlds(Toposort+Asser- 
tions(T))|S,  and  Worlds(Toposort(T))|5  C  Worlds(Fulltoposort(T))|5. 

t  Well,  up  to  the  limits  imposed  by  the  user’s  patience. 

tt  a  truth  valuation  t>  can  be  written  in  wff  form  as  a  conjunction  of  literals,  such  that 
the  atom  a  is  a  conjunct  of  v  in  wff  form  iff  a  receives  the  truth  valuation  T  under  v,  and 
is  a  conjunct  of  t;  in  wff  form  iff  a  receives  the  truth  valuation  F  under  v. 
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There  must  be  a  rightmost  position  in  which  Toposort+ Assertions  and 
Fulltoposort  contain  different  updates  or  queries.  Suppose  that  the  occupant  of 
that  position  is  U  in  Fulltoposort.  Then  U  does  not  appear  in  Toposort+ Asser¬ 
tions.  Therefore  U  is  not  an  ancestor  of  Q  or  an  assertion.  Let  At  be  a  model  of 
T  with  Skolem  constant  substitution  a  with  respect  to  Q,  U\  through  Un,  and 
T.  When  U  is  applied  to  At,  it  may  change  the  alternative  world  of  At  but  it 
cannot  eliminate  that  world,  as  w  of  U  must  be  satisfiable.  If  <j>  of  U  is  false  in 
At,  then  U  does  not  change  the  alternative  world  of  At,  and  so  eliminating  U 
from  Fulltoposort  would  not  change  the  alternative  worlds  eventually  produced 
from  At.  If  <t>  is  true  in  At,  then  U  may  change  the  alternative  world  of  At. 
However,  U  is  not  an  ancestor  of  Q.  If  (U)„  has  no  datoms  in  common  with 
any  member  of  (Left(I7))£r,  that  is,  the  sequence  of  queries  and  updates  Q-  ••U' 
appearing  to  the  left  of  U  in  Fulltoposort,  then  Worlds  (Left  ( C/)(  17  ( At  )))|S  = 
Worlds(Left(I7)(At))|5.  If  a  datom  or  history  atom  /  of  uu  unifies  under  a 
with  an  atom  g  of  U' ,  for  U'  any  member  of  Left(U),  then  it  must  be  the  case 
that  test  (2)  or  (3)  of  Step  2  of  the  NAP  algorithm  is  violated  for  /  and  g, 
i.e.,  that  <pu‘  must  be  false  in  At  and  in  all  descendants  of  At.  In  this  case, 
when  U'  is  executed,  it  cannot  change  the  alternative  world  of  At  or  any  de¬ 
scendant  of  At.  Therefore  eliminating  U  from  Fulltoposort  cannot  change  the 
effect  of  U'.  We  conclude  that  U  can  be  removed  from  Fulltoposort  without 
changing  the  alternative  worlds  of  Fulltoposort(T)  restricted  to  5.  By  induction, 
Worlds(Fulltoposort(T))|S  =  Worlds(Toposort+Assertions(T))|S.  By  the  same 
argument,  Worlds(Toposort(T))|5  C  Worlds(Toposort+Assertions(T))|S,  so  it 
follows  that  Worlds(Toposort(T))|S  C  Worlds(Toposort4-Assertions(T))|S.  0 

Theorem  5-2  implies  that  unless  all  assertions  are  executed,  a  query  may 
give  less  precise  answers  than  is  otherwise  possible.  In  particular,  it  may  report 
that  a  ground  wff  a  is  true  in  some  alternative  worlds  and  false  in  others  when, 
if  all  assertions  were  executed,  it  would  be  known  that  in  fact  a  had  the  same 
truth  valuation  in  all  remaining  alternative  worlds. 

5.7.  Update  Splitting 

To  reduce  the  cost  of  the  ancestors  of  a  query  or  update  that  needs  to  be  exe¬ 
cuted,  the  Lazy  Algorithm  makes  use  of  a  formalization  of  the  splitting  techniques 
illustrated  in  Section  5.1.  There  are  two  basic  varieties  of  splits,  or  divisions  of 
an  update  U  into  a  sequence  of  updates:  horizontal  splits,  in  which  disjuncts, 
conjuncts,  or  atoms  of  u>  or  <f>  are  removed  from  U,  generating  a  sequence  of  two 
updates  to  replace  U;  and  vertical  splits,  in  which  U  is  split  into  multiple  updates 
by  conjoining  a  substitution  or  other  wff  <p  to  one  version  of  U  and  ~><j>  to  the 
other.  When  an  update  is  split,  the  resulting  updates  belong  to  the  same  family 
as  did  the  original,  and  hence  apply  to  the  same  cost  bound  as  did  the  original. 
In  addition,  there  are  certain  logical  manipulations  of  (j>  and  u  that  can  be  useful, 
and  they  will  be  discussed  also. 

There  are  many  ways  to  skin  a  cat,  and  many  ways  to  split  an  update. 
Given  an  update  or  query  U  in  the  lazy  graph  to  process,  in  the  worst  case  the  best 
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way  to  split  the  ancestors  of  U  will  not  be  at  all  obvious.  In  fact,  in  a  deterministic 
version  of  the  Update  Algorithm,  one  can  easily  spend  time  exponential  in  the 
size  of  the  lazy  graph  (assuming  V  #  MV)  just  trying  to  decide  how  to  split 
U' s  ancestors;  the  update  split  that  initially  looks  most  advantageous  may  turn 
out  to  cause  an  unacceptable  increase  in  the  costs  of  that  update  s  ancestors. 
This  plethora  of  possibilities  does  not  lead  to  nice  theorems  telling  when  the 
Lazy  Algorithm  will  accept  U,  or  even  to  a  nice  algorithm  for  trying  out  all  the 
possibilities.  For  that  reason,  we  present  a  large  repertoire  of  splits  but  only 
present  a  characterization  of  the  performance  of  the  Lazy  Algorithm  for  a  small 
subset  of  these  splits. 

5.7.1.  A  Repertoire  of  Splits 

In  a  horizontal  split,  selected  datoms  are  removed  from  <f>  or  u  of  an  update  U. 
Horizontal  splits  can  be  helpful  when  U  is  an  ancestor  of  the  incoming  query  Q, 
and  some  expensive  part  of  U  is  not  actually  relevant  to  Q  at  all.  For  example, 
in  INSERT  a  Vg  WHERE  <f>y  if  g  is  expensive  and  not  needed  for  the  execution  of 
Q,  it  will  be  advantageous  to  split  g  off,  because  the  estimated  cost  of  INSERT  a 
WHERE  <f>  will  doubtless  be  lower  than  that  for  U .  It  is  possible  to  split  between 
conjuncts  of  u>  or  disjuncts  of  u>  or  <j>,  and  also  to  remove  individual  datoms  from 
w.  These  four  types  of  splits  will  be  covered  in  Splitting  Rules  1  through  4,  which 
map  an  update  U  into  an  equivalent  sequence  of  updates: 

Definition.  If  Si  and  S2  are  two  sequences  of  updates  over  a  language 
£,  then  Si  and  S2  are  equivalent  if  for  every  extended  relational  theory  T  over 
C,  Worlds(Si(T))  =  Worlds(S2(T)).  0 

One  obstacle  to  splitting  an  update  U  into  U\  and  U2  is  that  when  U2  is 
executed,  U2  must  have  some  means  of  locating  those  alternative  worlds  where  U 
is  not  yet  completed.  For  example,  if  U  is  INSERT  u>  WHERE  <j>  and  U\  is  INSERT  wi 
WHERE  <f>,  then  in  general  U2  cannot  also  rely  on  selection  clause  4>,  because  u>\  may 
have  changed  the  truth  valuations  for  atoms  in  <j>.  A  more  promising  candidate 
for  U2  s  selection  clause  is  {<f>)vnui  i  where  &HUi  is  the  history  substitution  for  U\ . 
However^  there  are  two  drawbacks  to  the  use  of  *n  ^2-  First,  a  future 

update  with  ancestor  U  may  need  to  write  some  of  the  datoms  in  {<f>)eBvl^ 
there  will  be  a  read/write  conflict  between  U2  and  that  update,  forcing  sequential 
execution.  Second,  U  may  be  split  many  times  before  it  is  fully  executed.  Every 
split-off  update  will  incur  costs  associated  with  <j>.  Even  if  u  is  very  simple,  the 
added  expense  of  dealing  with  ,  ((<£)* HPl  )°hv,,  etc.  may  push  the  total 

cost  for  U  beyond  the  cost  limit,  and  force  rejection  of  queries. 

The  solution  to  this  difficulty  is  to  make  4>ut  as  short  as  possible.  The 
technique  for  doing  so  has  been  presented  once  before,  in  the  discussion  of  com¬ 
putational  complexity  of  the  Update  Algorithm  Version  I  in  Chapter  3.  There  the 
goal  was  to  minimize  the  amount  of  space  required  for  formula  (2),  by  defining 
a  new  history  atom  H(U)  with  the  wff  and  adding  this  wfftoT  just 
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after  Step  1  of  the  Update  Algorithm.  This  is  adapted  to  the  current  case  as 
follows. 

Definition.  If  an  update  U  is  split  into  Uj  and  U2,  then  U\  defines  H(U) 
if  H(U)  is  a  new*  history  atom  and  during  the  execution  of  {7i,  after  Step  1  of 
the  Update  Algorithm,  the  formula  H(U)*-+<t>  is  added  to  T.  <C> 

Once  defined,  H(U)  can  be  used  by  subsequent  updates;  H{U)  is  just  a 
history  atom  that  will  be  true  in  a  model  M  iff  <f>  was  true  in  the  precursor  to 
that  model  just  before  U\  was  executed.  H(U)  is  an  inexpensive  way  of  marking 
the  models  where  4>  is  true  so  that  one  can  come  back  later  and  finish  U  easily.  In 
many  of  these  splitting  rules,  Ui  will  define  a  history  atom  that  is  subsequently 
used  by  U2.  In  the  earlier  example,  U2  can  use  H(U)  as  its  selection  clause  rather 
than  (4>)<rBul  •  By  this  means,  history  atoms  can  now  appear  in  split-off  updates. 

Please  note  that  if  U  defines  a  history  atom  and  U  is  itself  to  be  split  into 
Ui  and  U2,  then  U\  inherits  the  job  of  defining  that  history  atom. 

Splitting  Rule  1.  Splits  between  conjuncts  of  u>.  If  no  datom  or  history 
atom  in  unifies  with  an  atom  of  u>2,  then  the  update  U :  INSERT  ui  AW2  WHERE 
<j>  is  equivalent  under  the  Update  Algorithm  to  the  sequence  of  updates 

U\\  INSERT  wi  WHERE  <f>, 

U2:  INSERT  w2  WHERE  H(U), 
where  U\  defines  H(U).  0 

Remark  5-1.  When  U  is  split  into  U\  and  U2,  if  4>  contains  no  datoms, 
then  the  expense  of  defining  H(U)  is  unnecessary.  It  is  preferable  in  this  case  not 
to  define  H{U),  but  rather  just  use  <f>  directly.  This  will  be  done  in  the  examples 
of  this  chapter. 

Example.  INSERT  Emp(Reid,  CSD)  A  Emp(Reid,  EE)  WHERE  T  is  equiv¬ 
alent  to  the  sequence  of  updates 

INSERT  Emp(Reid,  CSD)  WHERE  T, 

INSERT  Emp(Reid,  EE)  WHERE  T.  0 

Proofs  of  correctness  for  these  splitting  rules  are  collected  in  Section  5.7.2. 

Selection  clauses  are  not  the  only  places  where  extra  history  atoms  are 
useful  for  marking  models  where  updating  is  to  be  completed  later.  The  case 
where  w  is  a  disjunction,  e.g.,  R(a)VR(6),  is  a  good  illustration.  If  we  want  to 
insert  just  R(a )  for  now  and  complete  the  disjunction  later,  then  there  must  be 
some  way  of  identifying  the  models  where  R(b)  should  be  inserted  later.  A  new 
history  atom  is  the  best  solution. 

t  A  new  history  atom  is  one  which  does  not  unify  with  any  history  atom  in  T  or  in  a 
pending  update. 
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Splitting  Rule  2.  Splits  between  disjuncts  ofu>.  If  no  datom  in  u>\  unifies 
with  an  atom  of  u>2,  then  the  update  U :  INSERT  ui\S/lo2  WHERE  <f>  is  equivalent 
under  the  Update  Algorithm  to  the  sequence  of  updates 

Uii  INSERT  wi  V  H(Ui )  WHERE  <f>, 

U2:  INSERT  H{UX)  ++  u>2  WHERE  H(U), 

where  H{U\)  is  a  new  history  atom,  and  U\  defines  H{U).  0 

Please  note  that  in  Splitting  Rule  2,  U\  does  not  define  H{U\ ),  but  merely 

uses  it. 


Example.  Assuming  #(1)  is  a  new  history  atom,  the  update  U :  INSERT 
Emp(Reid,  CSD)  V  Emp(Reid,  e)  WHERE  T  is  equivalent  to  the  sequence  of  up¬ 
dates 

INSERT  Emp(Reid,  CSD)  V  H{  1)  WHERE  T, 

INSERT  H(  1)  «-►  Emp(Reid,  e)  WHERE  T.  0 

It  is  worth  noting  that  Splitting  Rule  2  would  not  work  if  the  Update 
Algorithm  treated  history  atoms  as  it  does  datoms.  For  if  it  did,  then  U2  would 
change  the  truth  valuation  of  H(Ui),  rather  than  using  it  to  identify  the  models 
where  the  update  is  incomplete.  The  proofs  of  these  Splitting  Rules  will  show 
that  nothing  in  the  Update  Algorithm  or  in  its  proof  of  correctness  prevents  the 
use  of  history  atoms  in  certain  situations  within  updates;  the  system  may  as  well 
make  internal  use  of  history  atoms  whenever  this  is  convenient  and  correct. 

To  see  the  necessity  of  the  restriction  in  Splitting  Rules  1  and  2  that 
datoms  of  uq  and  u>2  must  not  unify,  consider  the  update  INSERT  Emp(Reid, 
CSD)  V  Emp(Reid,  CSD)  WHERE  T.  This  update  is  not  equivalent  to  the  sequence 
of  updates 

INSERT  Emp(Reid,  CSD)  V  ff(l)  WHERE  T, 

INSERT  Emp(Reid,  CSD)  «-»  ff(l)  WHERE  T, 

because  those  two  updates  may  create  alternative  worlds  where  Emp(Reid,  CSD) 
is  false.  For  example,  if  T  has  an  empty  body,  then  U\  will  produce  a  model  M 
where  Emp(Reid,  CSD)  is  true  and  H(l)  is  false,  and  U2  will  make  Emp(Reid, 
CSD)  false  in  M .  A  similar  problem  occurs  with  the  update  INSERT  Emp(Reid, 
CSD)  A  -i  Emp(Reid,  CSD)  WHERE  T. 

Using  DeMorgan’s  laws  and  Splitting  Rules  1  and  2,  one  can  completely 
pick  apart  many  u>s,  using  no  more  splits  than  there  are  conjunctions  and  dis¬ 
junctions*  in  u>.  Splitting  Rules  1  and  2  only  apply  when  u>  takes  a  special  form, 
however,  and  even  when  u  is  in  that  form,  at  times  it  may  be  annoying  to  have 
to  dissect  w  just  to  get  at  one  important  datom.  Splitting  Rule  3  allows  a  one- 
step  isolation  of  any  set  of  datoms  in  w;  however,  it  may  require  the  use  of  more 

t  Express  any  other  binary  operations  in  u>  in  terms  of  A,  V,  and 
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history  atoms  than  would  be  needed  if  Splitting  Rules  1  and  2  were  repeatedly 
applied. 

The  formula  for  u >u7  in  Splitting  Rule  3  is  rather  intimidating.  However, 
the  intent  is  quite  simple.  If  /  is  a  datom  of  U  to  be  removed  from  u>,  then  replace 
/  by  a  history  atom  H(f,fF)  in  u>.  Call  this  history  substitution  or-  Then  let 
U\  insert  (uj)ar.,  and  let  U2  insert  /<-►#(/,  T).  The  alarming  second  term  of 
in  Splitting  Rule  3  is  vacuously  true  except  in  the  case  where  /  unifies  with  an 
atom  of  (u)ar — the  same  case  that  caused  restrictions  in  Splitting  Rules  1  and 
2.  The  second  conjunct  of  u>u3  in  Splitting  Rule  3  simply  says  that  in  models 
where  /  unifies  with  a  datom  of  U2  cannot  change  the  truth  valuation  of 

/.  Just  how  U2  accomplishes  that  is  a  bit  mysterious:  H(f,  U2)  is  an  atom  from 
U2 s  own  history  substitution.  Doug  Hofstadter  watch  out! 

Splitting  Rule  3.  Removal  of  selected  datoms  from  lu.  Let  U  be  the 
update  INSERT  u>  WHERE  <f>.  Let  T  be  a  subset  of  the  datoms  that  occur  in  u >.  Let 
or  be  a  history  substitution  for  the  datoms  in  T ,  composed  of  the  replacement 
of  every  datom  /  in  T  by  a  history  atom  H(f,  J7).^  Then  U  is  equivalent  under 
the  Update  Algorithm  to  the  sequence  of  updates 

Ui  :  INSERT  (w)„,  WHERE  <j>, 

U2  :  INSERT  A  a 

((  V  CT)  -  ~  *  (/.  Uz))))  WHERE  H(U), 

<t6E 

where  U\  defines  H{U),  and  S  is  the  set  containing  the  wff  F  and  all  substitutions 
<7  such  that  for  some  datom  g  in  (u;)^,  /  unifies  with  g  under  most  general 
substitution  <7.  0 

Intuitively,  this  type  of  split  is  useful  when  the  datoms  in  T  are  too  expen¬ 
sive  or  else  need  to  be  isolated  from  the  other  datoms  of  u  to  facilitate  vertical 
splitting  of  <x>.  U\  leaves  placeholders  for  those  datoms  in  u>,  in  the  form  of  history 
atoms.  When  the  datoms  of  T  become  affordable  later  on,  their  truth  valuations 
can  be  tied  to  those  of  the  history  atoms  in  or  through  update  Ui- 

Example.  Let  U  be  the  update  INSERT  (~<R(a)  V  R(b))  A  (R(c)  V  ->R(b)) 
WHERE  T,  and  let  Q  be  the  query  INSERT  Q(b)  WHERE  R(b).  Suppose  that  U 
is  expensive,  and  the  only  conflict  preventing  execution  of  Q  is  the  write/read 
dependency  on  R(b).  Then  R(b)  can  be  split  out  of  U  in  one  step  by  creating  the 
two  updates 

Un  INSERT  (-ff(R(a),  1)  V  R(b))  A  ( H(R(c ),  1)  V  -R(6))  WHERE  T, 

U2:  INSERT  (R(a)  ~  H(R(a),  1)  A  ( R(c )  ~  H(R{c ),  1))  WHERE  T.  0 

tt  By  analogy  to  U  in  H(f,  U),  T  in  H(f ,  F)  is  simply  a  unique  constant  not  previously 
used  in  any  history  atom,  so  that  H(f,  T)  does  not  unify  with  any  preexisting  history  atom. 
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Example.  Let  U  be  the  update  INSERT  (e  =  a)  A  R(e )  A  ->R(a) 

WHERE  T.  As  u>  is  unsatisfiable,  this  update  should  eliminate  all  alternative  worlds 
of  any  theory  to  which  it  is  applied.  Splitting  U  with  Splitting  Rule  3  produces 

Ui :  INSERT  (e  =  a)  A  R(e)  A  -iff (R(a),  C/j )  WHERE  T, 

U2 :  INSERT  (R(a)  ~  H{R(a),Ui))A((t  =  a)  (H(R(a),Ui)  <-  H(R(a),U2 )))) 
WHERE  T. 

Without  this  final  conjunct  of  w  in  U2,  U\  and  U2  applied  to  an  extended  relational 
theory  with  empty  body  would  produce  an  alternative  world  in  which  R(a)  is 
false.  The  additional  conjunct  correctly  eliminates  all  alternative  worlds.  0 

Splitting  Rule  4.  Splits  between  disjuncts  of  <j>.  The  update  U:  INSERT 
u  WHERE  V(^2  is  equivalent  under  the  Update  Algorithm  to  the  sequence  of 
updates 

Ui :  INSERT  w  WHERE  4>u 

U2:  INSERT  u  WHERE  (<f> , 

where  ohux  is  the  history  substitution  for  U\.  <)> 

Example.  The  update  INSERT  Emp(Reid,  CSD)  WHERE  Emp(Reid,  EE)  V 
Mgr(Nilsson,  e)  is  equivalent  to  the  sequence  of  updates 
U i:  INSERT  Emp(Reid,  CSD)  WHERE  Emp(Reid,  EE), 

U2:  INSERT  Emp(Reid,  CSD)  WHERE  Mgr(Nilsson,  e).  0 

Though  Splitting  Rule  4  shows  that  it  is  possible  to  split  between  disjuncts 
of  <f>,  in  general  it  is  not  possible  to  split  between  conjuncts  of  <j>,  as  all  conjuncts 
of  <f>  Eire  needed  to  determine  whether  an  Eilternative  world  is  to  be  affected  by 
the  update. 

We  now  turn  to  Ein  examination  of  vertical  splitting.  In  Splitting  Rule  5 
below,  typically  4>'  will  be  a  substitution  <7,  and  there  will  be  an  update  or  query 
Q  that  depends  on  the  results  of  U  for  some  pair  of  datoms  of  Q  and  U  that 
unify  under  substitution  a.  It  may  be  much  cheaper  to  execute  U  only  in  those 
models  where  a  is  true,  rather  than  in  all  models  where  <j>  is  true.  This  typically 
occurs  if  Skolem  constants  in  the  updates  U  and  U2  cause  the  unacceptable 
expense  in  U.  For  example,  if  U  is  INSERT  Mgr(Nilsson,  e)  WHERE  Emp(Reid,  e), 
and  Q  is  INSERT  Q(Nilsson)  WHERE  Mgr(Nilsson,  CSD),  then  Q  has  a  write/read 
dependency  on  U.  However,  this  dependency  only  materializes  in  models  where 
e  =  CSD.  If  U  is  split  into  U\\  INSERT  Mgr(Nilsson,  e)  WHERE  Emp(Reid,  e)  A  e 
=  CSD  and  U2:  INSERT  Mgr(Nilsson,  c)  WHERE  Emp(Reid,  e)  A  e  ^  CSD,  then 
U\  may  well  be  affordable  though  U  is  not.  U2  can  be  executed  later,  as  it  will 
not  be  an  ancestor  of  Q. 

Splitting  Rule  5.  Vertical  Splits.  Let  U  be  the  update  INSERT  u>  WHERE 
4>.  If  <p'  is  a  ground  wff,  then  U  is  equivalent  under  the  Update  Algorithm  to  the 
sequence  of  updates 
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U\:  INSERT  u  WHERE  <f>  A  <j>'  and 
U2 :  INSERT  u  WHERE  H(U)  A 
where  U\  defines  H(U).  0 

Example.  Let  U  be  the  update  INSERT  Emp(Reid,  e)  WHERE  T,  and  let  U' 
be  the  update  INSERT  Emp(Reid,  CSD)  WHERE  Mgr(Nilsson,  CSD).  There  is  a 
write/write  dependency  between  U  and  U'\  but  this  dependency  only  occurs  for 
models  where  e  is  bound  to  CSD.  If  U  is  too  expensive,  try  splitting  U  into 
Ui :  INSERT  Emp(Reid,  e)  WHERE  e  =  CSD, 

U2:  INSERT  Emp(Reid,  e)  WHERE  e  #  CSD. 

Then  U'  does  not  depend  on  U2,  and  U\  may  well  be  affordable.  0 

Sometimes  two  updates  are  guaranteed  not  depend  on  one  another  by 
virtue  of  the  fact  that  they  take  place  in  disjoint  sets  of  alternative  worlds.  For 
example,  the  updates 
INSERT  Emp(Reid,  e)  WHERE  e  =  CSD  and 
INSERT  ->Emp(Reid,  e)  WHERE  e  ^  EE 

will  produce  the  same  effect  no  matter  which  update  is  executed  first.  The  NAP 
Algorithm  takes  advantage  of  any  such  opportunities  created  by  vertical  splitting, 
by  eliminating  dependencies  of  this  sort  between  updates.  However,  it  is  not 
sufficient  that  the  selection  clauses  of  the  two  updates  be  mutually  exclusive;  for 
example,  the  effect  of  the  two  updates 

INSERT  Emp(Reid,  CSD)  WHERE  Emp(Reid,  CSD)  and 
INSERT  -iEmp(Reid,  CSD)  WHERE  Emp(Reid,  CSD) 
depends  upon  the  order  in  which  they  are  executed. 

Logical  massage  of  <f>  and  u  can  be  used  to  reduce  the  cost  of  Step  1  of  the 
Update  Algorithm,  by  removing  datoms  from  U  that  are  not  subformulas  of  T 
or  of  pending  ancestors  of  U.  By  applying  a  substitution  <7  to  <f>  or  u>,  sometimes 
the  resulting  datoms  in  <f>  and  u>  already  are  subformulas  of  T  even  though  the 
original  datoms  did  not.  Of  course,  this  sword  cuts  both  ways:  applying  o  may 
turn  a  datom  that  did  occur  in  T  into  one  requiring  expenditures  during  Step  1. 

Splitting  Rule  6.  Logical  massage.  The  four  updates 
U\i  INSERT  u>  WHERE  <j>Ao, 

U2:  INSERT  (w),  WHERE  <f> A<r, 

U3 :  INSERT  u>  WHERE  (<j>)9  Act, 

U4:  INSERT  (w),  WHERE  (^Aa, 

where  o  is  a  ground  substitution,  are  all  equivalent.  ^ 

Of  course  the  splits  and  rearrangements  presented  in  the  preceding  split¬ 
ting  rules  Eire  not  the  only  possible  manipulations  of  updates.  For  example,  U 
can  be  replaced  by  any  other  equivalent  update;  see  Chapter  8  for  rules  on  when 
two  updates  will  be  equivalent. 
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5.7.2.  Correctness  Proofs  for  Splits 

Readers  not  interested  in  formal  proofs  of  correctness  for  the  splits  of  the  previous 
section  should  proceed  to  the  next  section. 

Proof  of  Splitting  Rule  1.  Let  M  be  a  model  of  extended  relational 
theory  T  with  Skolem  constant  substitution  o  with  respect  to  7”,  U i ,  and  U2  • 
Let  Mui  he  a  model  of  Ui(T),  such  that  the  alternative  world  of  Mu,  is  pro¬ 
duced  from  that  of  M  under  the  semantics  for  updates.  Let  Mu,  be  a  model 
of  U2(Ui(T)),  such  that  the  alternative  world  of  Mu,  is  produced  from  that  of 
Mu\  under  the  semantics  for  updates.  Then  <f>  is  true  in  M  iff  H (U)  is  true  in 
Adun  by  the  arguments  of  Theorem  4-1.  If  4>  is  true  in  At ,  then  u>iAu>2  is  true 
in  Mu„  because  (u>i  )„  and  (u>2)<r  have  no  datoms  or  history  atoms  in  common. 
Therefore  Mu,  is  a  model  of  an  alternative  world  produced  by  U  applied  to  M. 

If  4>  is  false  in  M,  then  H (U)  is  false  in  Mu,,  and  Mu,  is  a  model  of  an 
alternative  world  produced  by  applying  U  to  M. 

.  The  reverse  implication  is  symmetric.  0 


Proof  of  Splitting  Rule  2.  This  proof  follows  the  outline  of  the  proof 
of  Splitting  Rule  3,  with  significant  differences  only  in  the  forward  and  reverse 
proofs  of  correctness  for  Step  3.  The  revised  forward  and  reverse  proofs  for  Step 
3  follow: 

In  the  definition  of  Mu  and  Mu, >  also  define  the  truth  valuation  of  H(U\ ): 
let  H(U\)  be  true  in  Mu,  iff  w2  is  true  in  Mu- 

Consider  those  wffs  added  to  U2(Ui (7~))  during  Step  3  of  U\  or  U2.  By 
definition  Mu,  satisfies  (<P)<tbu-^(uji\/lo2).  We  must  show  that  Mu,  satis¬ 
fies  ({<t>)<TBV,)aHV,^ —*  <-»  w2). 

The  latter  formula  is  true  by  definition  of  the  truth  valuation  of  H(U\)  in 
Mu,-  For  the  other  formula,  since  no  datom  of  u>\  unifies  with  an  atom  of 
u>2,  it  follows  that  (u>i)ffBUj  is  identical  to  u\.  But  then  by  definition  of  Mu,-, 

is  satisfied  in  Mu,- 

For  the  reverse  implication,  consider  the  formula  added  to  U(T)  during 
Step  3  of  U :  (<f>)CTBU—^uj.  We  know  Mu  satisfies 

((^)^vl )  <thv7  —*  ((wi).alll  V  H(Ui)) 

and 

(WcHVt  )<rnu,  ->  (w2  <-»  H(Ul))- 

Again,  because  no  datom  of  u\  unifies  with  an  atom  of  u>2,  it  follows  that  (u>i  )<tHV2 
is  identical  to  u>j.  Therefore  the  latter  two  formulas  together  logically  imply 
that  ((<}>)* hv^vhv,-^^ iVw2)  is  true  in  Mu-  Then  by  the  definition  of  Mu, 
(4>)<Thu-^(uj1\/uj2)  is  true  in  Mu-  <> 
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Proof  of  Splitting  Rule  3.  Let  a nu,  and  °hu7  be  the  history 

substitutions  for  U,  U\,  and  U2,  respectively.  First  we  show  that  any  model 
produced  by  U  is  the  model  of  an  alternative  world  also  produced  by  U\  followed 
by  U2. 

Let  My  be  a  model  of  U(T).  Let  Mu7  be  a  model  identical  to  Mu 
except  that  for  every  null-free  datom  /,  the  history  atoms  H(f,  Ui),  H(f,U2), 
and  H(f,F)  are  given  the  following  truth  valuations  in  M.u7'^ 


H(f, U\)  gets  the  same  valuation  as  H(f,U ) 

H(f,F)  gets  the  same  valuation  as  / 

H(f ,  U2)  gets  the  same  valuation  as  /,  if  3gr|{p  6  (u;)^  and  /  <7} 

H(f,U2)  gets  the  same  valuation  as  H(f,  U),  otherwise. 

In  addition,  let  H(U)  be  true  in  Mu7  iff  4>  is  true  in  M.  Note  that  H(U) 
is  true  in  Mu7  iff  ((^Vhc/,  )<tBu2  is  true  in  Mu3\  this  correspondence  will  be 
used  throughout  the  formulas  in  this  proof  without  special  notice,  by  replacing 
occurrences  of  H{U )  by  am  equivalent  expression  over  <f>. 

Clearly  M.u  and  Mu7  represent  the  same  alternative  world.  To  show  that 
Mu7  is  a  model  of  Worlds(LT2(L’i (A4))),  we  will  consider  all  the  possible  reasons 
that  a  particular  wff  might  be  in  U2(Ui(T)),  and  show  that  in  each  case,  M. 
satisfies  that  wff. 

First  suppose  a  is  a  wff  of  the  body  of  T.  Then  under  the  Update  Algo¬ 
rithm,  U2{U\{T))  contains  the  wff  ((oc)<rBUl)<rBv7‘  Mu7  satisfies  and  by 

definition  therefore  also  satisfies 

Now  consider  the  wffs  added  to  T  during  Step  1  of  update  XJ\.  If  /  is  a 
datom  of  (w)**.,  then  U2{U\(T))  contains  the  wff 

«/  —  V  5-1 

*€T 
f***  9 

Since  U (T)  contains  the  wff 

(/-  v  5-2 

9€T 

f~*9 

it  follows  by  definition  that  formula  5-1  is  satisfied  by  Mu7-  If  /  is  a  datom  in 
F,  then  U2(U\{T))  also  contains  the  wff 

(/-*(  V rV  V  »))«»,•  s-3 

ser  9tTtgZ{»)9T 

J+*<r9  S~*9 


t  For  <x  a  wff,  theory,  or  substitution,  and  g  an  atom,  the  notation  g£a  means  ug  is  a 
subformula  of  a”.  If  a  is  a  hyperedge  or  set  of  nodes  in  a  graph,  then  the  notation  g£at  means 
that  the  node  g  is  on  the  hyperedge  or  in  the  set  of  nodes  a.  The  notation  f~<?g  means  that 
/  unifies  with  g  under  most  general  substitution  <r. 
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Since  formula  5-2  implies  formula  5-3  under  the  definition  of  Mu2,  it  follows  that 
formula  5-3  is  satisfied  by  Mu2- 

Now  consider  those  wffs  added  to  U2(Ui(T))  during  Step  3  of  TJ\  or  U?. 
We  first  show  that  ( <t>)aBU  is  true  in  Mu2  iff  ((<t>)<rBv1  )<mv2  is  true  in  M u2- 

If  (4>)attu  is  true  in  Mu2,  then  {{<f>)VBUx  )<rBV  must  ^  be  true  tbere>  by 
definition  of  the  truth  valuations  of  H(f,Ui).  Conversely,  if  a  datom  /  of  <f>  is  a 
subformula  of  <thv2  but  not  of  <thUi  >  then  it  must  be  the  case  that  /  unifies  with 
a  datom  of  T  and  does  not  unify  with  any  datom  of  (u)^.  But  then  by  definition 
the  truth  valuation  of  H(f,U )  is  the  same  as  that  of  H(f,U2)-  It  follows  that 
{<j>)OBV  is  true  in  Mu2  iff  ((<t>)<rBVl  )<rBUi  is  ^  true. 

By  definition  Mu2  satisfies  (<f>)<?BV  -+  w.  We  must  show  that  Mu2  sat¬ 
isfies  the  wff  ((<t>)eHUl)*BU2  -»  ((w)er ^)„BUi,  introduced  during  Step  3  of  XJ\.  If 
{{4>)cHUx)<tBv2  is  true  in  Mu2,  then  (<j>)t TBU  is  also  true,  and  therefore  u>  is  true 
in  Mu2-  By  definition  of  M u2 ,  it  follows  that  {[u)OF )*BUi  is  true  in  Mu2-  We 
must  also  show  that 

-  A  «/ «  a«  V  »)  -  (/ ~  w,u,m) 

is  satisfied  in  Mu2-  But  both  conjuncts  of  this  formula  axe  true,  by  definition  of 
S.  Therefore  Mv2  satisfies  the  wffs  added  during  Step  3. 

Now  consider  those  wffs  added  to  U2(Ui(T))  during  Step  4  of  U\  or  U2- 
Mu2  satisfies  the  wff  of  U(T) 

(/  ~  H(f,U))  V  ((*)„„  A  V  <r),  5-4 

f  €<*» 

J~*9 

for  each  datom  /  in  U(T)  that  unifies  with  a  datom  of  (a;)^  or  T . 

If  /  in  U2{U\(T))  unifies  with  a  datom  of  (w)VF,  then  U2(Ui(T))  contains 
the  wff 

(( f)<ntv2  ^l))  V  )*nu2  ^  V 

which  is  true  by  definition  of  H(f,  U2)  and  H(f,  Ui),  if  /  unifies  with  a  datom  of 
and  true  by  formula  5-4,  otherwise. 

If  /  in  U2(U1{T))  unifies  with  a  datom  of  T,  then  U2(Ui(T))  contains  the 
wff 

(/  ~  H(f,  U2 ))  V  (((*)Wl  )cBD2  A  \/  a). 

f~*9 

Since  (4>)erBV  is  true  iff  ((<j>)<rBVl  )cBV2  is  true,  by  the  definition  of  Mu2  and 
formula  5-4  this  formula  is  also  satisfied  by  Mu2-  This  establishes  that  Mu2 
satisfies  the  wffs  added  during  Step  4  of  U\  and  U2,  and  that  Mu2  is  a  model  of 
an  alternative  world  of  U2(Ui(T)). 


63 


To  show  that  models  produced  by  U 1  and  U' \  represent  alternative  worlds 
produced  by  U,  suppose  Mu2  is  a  model  of  J72(^i(T)).  Let  Mu  be  a  model 
differing  from  Mu2  only  in  the  following:  H(f,U)  has  the  truth  valuation  in 
Mu  of  H(f,Ui)  in  Mu2  if  /  unifies  with  a  datom  of  <thux,  and  of  ff(/, U2) 
otherwise.  Then  Mu2  and  Mu  represent  the  same  alternative  world,  and  again 
we  must  show  that  Mu  satisfies  all  the  wffs  of  U(T). 

Let  o  be  a  wff  of  T.  Then  (a )aav  is  a  subformula  of  U(T).  Mu  satisfies 
((a)<Tjrut  )<rBva  >  and  therefore  Mu  satisfies  (a)*^. 

Now  consider  wffs  added  to  T  in  Step  1  of  U:  for  each  datom  /  that  is  a 
subformula  of  u  but  not  of  T,  U(T)  contains  the  wff 

( f)<TBv  \f  5-5 

»€  r 

For  /  in  (u;)^,  Mu  satisfies  the  wff  of  U2(Ui(T)) 

tf€T 

9~<rf 

which  implies  that  Mu  satisfies  formula  5-5  as  well. 

For  /  in  <7^-,  Mu  satisfies  the  wff  of  U2(U\(T)) 

(/w,-*(V  aV  V  *)•  5*6 

tf€T  g*T 

9~<rf  *€(w)«r^- 

9~~o  S 

In  formula  5-6,  suppose  3  is  true  in  Mu-  If  the  left-hand  disjunct  of  5-6 

is  true,  then  formula  5-5  is  satisfied.  Otherwise,  for  some  g  from  the  right-hand 
disjunct,  g  is  true  in  Mu',  therefore  Mu  must  satisfy  an  instantiation  of  formula 
5-5  for  g.  It  follows  that  a  left-hand  disjunct  of  5-6  must  be  true  in  Mu ,  and 
therefore  5-5  is  satisfied  by  Mu- 

The  formulas  added  to  U(T)  during  Step  4  of  U  take  the  form,  for  / 
unifying  with  a  datom  of  u, 

7))  V  ((*),„  A  \/  a).  5-7 

pgw 

9"*  a  S 

If  /  unifies  with  a  datom  of  (u)or ,  and  /  is  a  subformula  of  T,  <f>,  or  (u>)<,T ,  then 
Mu  satisfies  the  formula  of  Ui(U\(T)) 

((/)..„,  <-  »{!•  V . ))  V  (((*)„„,  A  V  *)• 

9€(*>)fff 

9"*of 
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5-8 


For  /  any  datom  of  U(T)  unifying  with  a  datom  of  or,  Mu  also  satisfies 

a  v  *)• 

*~<r/ 

If  /  does  not  unify  with  datoms  of  both  (w)*r  and  or,  then  formula  5-7  is 
satisfied.  Otherwise,  if  the  left-hand  disjunct  of  formula  5-8  is  true  in  Mu,,  then 
by  definition  of  M. u ,  formula  5-7  is  satisfied  in  Mu-  If  the  left-hand  disjunct  is 
false,  then  the  right-hand  one  must  be  true;  since  the  occurrence  of  a  datom  g 
in  J-  implies  that  g  also  is  a  subformula  of  w,  it  follows  that  5-7  is  again  satisfied 
for  Mu- 

Now  consider  the  formula  added  to  U(T)  during  Step  3  of  U:  (<f>)trBU~*u>- 
By  the  same  argument  used  in  the  forward  direction  of  this  proof,  ((4>)<rBU,  )<tbv, 
is  true  in  Mu,  iff  (4>)trHv  is  true  in  Mu,-  It  remains  to  show  that  u;  is  true  when 
{.{<t>)cBU,  )*bv,  is  true  in  Mu,- 

When  ((</>)ct£ iui^gbu,  i®  true  in  A4u,,  Ad U,  must  satisfy  ((^)<rx , 

A  (/ ~ 

nr 

P€(“')<r^ 

S~v9 
or  oobF 

and  formula  5-8.  But  these  together  imply  that  Mu,  satisfies  By  defini¬ 

tion  of  Mu,,  if  (w)**-  is  true  in  Mu,,  then  u>  must  be  true  in  Mu,-  Therefore 
Mu,  satisfies  the  formulas  added  during  Step  3  of  U. 

As  Mu  satisfies  all  the  wffs  added  to  T  during  the  Update  Algorithm  for 
U,  we  conclude  that  Worlds(t/2(Ui(T)))  =  Worlds(C/’(T)).  0 

Proof  of  Splitting  Rule  4.  Let  M  be  a  model  of  T,  and  let  Mu,  be 
a  model  whose  alternative  world  is  derived  from  M  by  U\  under  the  semantics 
for  updates.  First,  by  the  arguments  of  Theorem  4-1,  ( <f>2)<rBUl  *s  true  in  Mu, 
iff  <f>2  was  true  in  M.  It  follows  that  Splitting  Rule  4  is  true  for  all  models  M 
of  T  where  or  ->4>\A<t>2  is  true.  If  is  true  in  M,  then 

u  will  be  inserted  into  M  twice.  But  insertion  of  a  wff  is  idempotent;  for  any 
update  U ,  Worlds(J7(U(  Ad)))  =  Worlds(U(T)).  It  follows  that  U  is  equivalent 
to  the  sequence  of  updates  U\  and  U2-  0 

Proof  of  Splitting  Rule  5.  Let  Ad  be  a  model  of  T,  and  let  Mu,  be 
a  model  whose  alternative  world  is  derived  from  M  by  U\  under  the  semantics 
for  updates.  By  the  proof  of  Theorem  4-1,  H(U)  will  be  true  in  Mu,  iff  4>  was 
true  in  M  before  U\  began.  Therefore  4>  and  <f>'  are  true  in  M  iff  ( 4>)<rBV , 
(4>')chu,  ,  respectively,  are  true  in  Mu,-  Reusing  the  proof  of  Splitting  Rule  4,  it 
follows  that  Worlds( U2  ( Ui  (T ) ) )  =  Worlds(U(T)).  0 
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Proof  of  Splitting  Rule  6.  We  will  show  that  U\  and  U4  are  equivalent, 
and  the  proofs  for  the  rest  follow.  Let  M  be  a  model  of  T ,  and  let  <J\  be  the 
Skolem  constant  substitution  for  M  with  respect  to  T,  <f>,  u>,  and  a.  Let  Mui  he 
a  model  produced  from  M  by  the  Update  Algorithm  for  update  U\.  Then  4>Acr 
is  true  in  M  iff  (<[>)„ Act  is  true  in  M.  If  <f>Acr  is  false  in  M,  the  theorem  follows. 
If  <f> Act  is  true  in  M,  then  <7i  logically  entails  <7,  so  if  u>  is  true  in  Mui  then  (w)* 
is  also.  This  implies  that  Mux  is  also  a  model  of  an  alternative  world  produced 
by  U4. 

For  the  other  direction,  let  M  be  as  before,  and  let  MuA  be  a  model 
produced  from  M.  by  U\ .  Suppose  that  (4>)aAcr  is  true  in  Ad,  as  otherwise  the 
theorem  follows.  Then  (w)^  is  true  in  MuA-  Since  o\  logically  entails  <7,  ((a })<r)<n 
is  identical  to  (a;)*,,  so  (<^)<Tl  is  true  in  MuA •  It  follows  that  M.uA  is  a  model  of 
an  alternative  world  produced  by  U4.  0 

5.7.3.  The  Splitting  Algorithm 

The  Splitting  Algorithm  shows  how  to  split  update  hyperedges  in  the  lazy  graph. 
Suppose  an  update  U  is  to  be  split  into  the  sequence  of  updates  U\  •  •  •  Un.  Intu¬ 
itively,  the  job  of  the  Splitting  Algorithm  is  to  move  back  in  time  to  the  moment 
when  U  was  added  to  the  lazy  graph,  and  instead  of  adding  U ,  successively  add 
U\  through  Un .  Then  all  the  updates  that  arrived  after  U  can  be  added  back  into 
the  lazy  graph.  As  the  proof  of  correctness  for  the  Splitting  Algorithm  will  illus¬ 
trate,  this  can  be  done  quite  efficiently  as  long  as  in  all  vertical  splits  (Splitting 
Rule  5),  4>'  contains  no  history  atoms  or  datoms. 

The  Splitting  Algorithm. 

Input:  A  lazy  graph  G  containing  node  U,  and  the  sequence  of  updates  Ui  and 
Uii  produced  by  splitting  U  in  accordance  with  Splitting  Rules  1—4;  or  produced 
by  Splitting  Rule  5,  if  4>'  contains  only  equality  atoms;  or  a  single  update  U i , 
produced  in  accordance  with  Splitting  Rule  6. 

Output.  An  equivalent  lazy  graph  G'  in  which  U  has  been  replaced  by  the  new 
updates  U\  and/or  U2,  as  appropriate. 

Procedure.  A  sequence  of  three  steps: 

Step  1.  Add  new  nodes.  Set  G'  to  be  G.  Remove  the  nodes  of  U,  the  update 
hyperedge  of  U ,  and  all  arcs  incident  to  U  from  G' .  Let  Gu  be  the  subgraph 
of  G'  containing  only  those  nodes  that  are  ancestors  of  nodes  in  U .  Apply  the 
NAP  algorithm  to  add  update  hyperedge  U\  to  the  family  hyperedge  of  U  in  the 
subgraph  Gu-  Repeat  for  U2,  if  U2  exists. 

Step  2.  Check  arcs  to  children  of  U.  If  there  is  an  arc  in  G  from  a  node  of 
U  to  a  node  g  not  in  U,  apply  Step  2  of  the  NAP  Algorithm  and  create,  if  Step 
2  so  requires,  an  arc  from  a  node  of  Ui  or  U2  to  g  in  G' . 

Step  3.  Reestimate  costs  for  children  of  U.  If  there  was  an  arc  in  G  from 
a  node  of  U  to  a  node  g  not  in  U,  then  the  cost  information  for  g  may  change 
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in  G' .  In  particular,  the  number  of  unifications  for  g  may  may  decrease  if  some 
datom  f  of  U  that  unified  with  g  no  longer  is  a  subformula  of  T  or  in  any  pending 
ancestor  of  g.  Adjust  the  unification  counts  to  reflect  these  changes.  0 

Example.  Given  the  lazy  graph  of  figure  5-4,  if  update  Ui  is  split  horizon¬ 
tally  according  to  Splitting  Rule  2,  the  Splitting  Algorithm  produces 

Uy.  INSERT  Emp(Reid,  Ci)VH(l)  WHERE  T  and 
U4:  INSERT  Mgr(Nilsson,  e2)  <-*•  H(  1)  WHERE  T, 

shown  in  the  lazy  graph  produced  by  the  Splitting  Algorithm  in  figure  5-6.  0 


Uy.  INSERT  Mgr(  Nilsson,  e>)  *-*  H{1)  WHERE  T 


Update  hyperedge  =  - - 

Family  hyperedge  - - 

Figure  5-6.  Splitting  Algorithm  example. 


The  part  of  the  Splitting  Algorithm  in  serious  need  of  formal  justification 
is  its  assumption  that  U\  and  11?  have  no  descendants  or  ancestors  other  than 
those  nodes  that  were  ancestors  or  descendants  of  U.  Theorem  5-3  shows  that  this 
assumption  is  in  fact  warranted.  According  to  Theorem  5-3,  close  examination 
of  any  seemingly  missing  arcs  of  G1  will  show  that  the  unifications  under  which 
those  conflicts  would  occur  will  never  materialize. 
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Theorem  5-3.  Let  S  be  a  sequence  of  updates  and  queries  containing 
update  or  query  U.  Let  G  be  a  lazy  graph,  created  with  the  NAP  and  Splitting 
Algorithms,  with  topological  sort  5.  Let  G'  be  the  lazy  graph  produced  from  G 
by  the  Splitting  Algorithm  when  U  is  split  into  U\  and  U2  (just  U\  if  splitting  in 
accordance  with  Splitting  Rule  6).  Let  S'  be  the  sequence  created  by  replacing 
U  in  S  by  JJ\  C/2 .  Use  the  NAP  Algorithm  to  insert  sequentially  the  updates  and 
queries  of  S'  into  an  initially  empty  lazy  graph  G" . 

If  Si  and  S2  are  reverse  topological  sorts  of  G'  and  G",  respectively,  then 
Si  and  S2  axe  equivalent.  0 

The  proof  of  this  theorem  will  show  that  there  may  be  axes  that  the 
NAP  Algorithm  would  include  but  the  Splitting  Algorithm  does  not;  but  for 
any  such  arc,  external  factors  will  prevent  the  conflict  predicted  by  the  arc  from 
materializing.  First  a  bit  of  terminology:  If  U  is  an  update  or  query,  let  4>u  be 
the  set  of  nodes  on  the  lazy  graph  hyperedge  for  U  whose  labels  are  subformulas 
of  <t>  of  U;  and  let  u>u  be  defined  analogously. 

Proof  of  Theorem  5-3.  Assume  inductively  that  all  splits  previously 
performed  in  G  have  this  property.  Then  if  an  arc  labelled  a  appears  in  G"  and 
not  in  G'  (a  new  arc),  its  presence  cannot  lead  to  a  violation  of  Theorem  5-3 
unless  one  endpoint  of  the  arc  is  in  U\  or  U2  and  the  other  is  outside  U\  and  U2  ■ 
Suppose  first  that  the  endpoint  is  in  U\. 

Looking  at  the  formula  that  defines  Ui  for  the  splits  of  Splitting  Rule  1, 
there  are  no  atoms  in  Ui  that  were  not  also  subformulas  of  U;  and  the  selection 
clause  <f>  is  the  same  as  it  was  in  U.  Therefore,  by  Step  2  of  the  NAP  Algorithm, 
no  new  arc  could  possibly  have  an  endpoint  in  Ui . 

Looking  at  the  formula  that  defines  Ui  for  the  splits  of  Splitting  Rule  2, 
there  is  only  one  datom  or  history  atom,  H(Ui),  that  was  not  also  a  subformula 
of  U]  and  the  selection  clause  <f>  is  the  same  as  it  was  in  U.  Therefore,  by  Step 
2  of  the  NAP  Algorithm,  any  new  arc  must  have  H(Ui)  as  an  endpoint.  But 
by  definition  H(JJi)  is  not  a  subformula  of  any  other  update  except  U2,  or  unify 
with  any  atom  in  any  update  except  Ui-  Therefore  there  can  be  no  new  arc  with 
an  endpoint  in  Ui. 

For  Splitting  Rule  3,  the  same  argument  holds  as  for  Splitting  Rule  2. 

For  Splitting  Rule  4,  again  there  are  no  new  atoms  in  U\\  however,  <j> 
has  changed,  so  perhaps  some  unification  that  failed  test  (2)  or  (3)  of  Step  2 
of  the  NAP  Algorithm  will  now  succeed.  However,  for  test  (2),  if  cr $2) 
is  unsatisfiable,  then  cr A0i  must  be  unsatisfiable  as  well.  For  test  (3),  if  <^>i  V<?>2 
logically  entailed  a,  then  so  does  <f>i.  Therefore  there  can  be  no  new  axes  with 
an  endpoint  in  Ui. 

For  Splitting  Ride  5,  by  assumption  <j>'  contains  no  non-equality  atoms. 
Therefore  there  axe  no  new  datoms  or  history  atoms  in  Ui ,  and  by  the  argument 
for  Splitting  Ride  4,  there  can  be  no  new  arcs  with  an  endpoint  in  Ui . 


68 


For  Splitting  Rule  6,  there  may  indeed  be  new  datoms  in  u  or  <j>,  created 
by  applying  a  to  previously  existing  atoms.  However,  if  <?i  is  the  label  of  the 
new  arc,  by  Step  2  of  the  NAP  Algorithm,  it  must  be  the  case  that  <TiA<f>A(T  is 
satisfiable,  and  so  that  arc  should  have  been  in  G  all  along.  We  conclude  that 
there  can  be  no  new  arcs  with  an  endpoint  in  U\,  for  any  type  of  split. 

Now  consider  new  arcs  with  an  endpoint  in  U 2  and,  say,  U  as  the  other 
endpoint.  For  Splitting  Rule  1,  the  only  new  atom  in  U2  is  H(U).  But  by  the 
argument  used  above  for  U\  of  Splitting  Rule  1,  no  new  arc  can  have  H(U)  as  an 
endpoint.  Therefore  if  there  is  a  new  arc  between  U2  and  U' ,  it  must  be  because 
that  arc  formerly  failed  test  (2)  or  (3)  of  the  NAP  Algorithm  Step  2,  and  now 
passes  the  test. 

If  test  (3)  was  failed,  suppose  first  that  U2  lies  at  the  head  of  the  new 
arc,  and  update  or  query  U'  lies  at  the  tail  of  the  arc.  Let  7  be  an  extended 
relational  theory  with  model  M.  Then  by  the  definition  of  test  (3),  whenever 
<f>u7  is  true  in  a  model  M  of  T,  it  must  be  the  case  that  a,  defined  in  test  (3), 
is  also  true  in  M.  As  a  contains  only  equality  atoms,  this  property  still  holds 
for  the  descendants  of  M  after  any  sequence  of  updates  is  applied  to  M.  But 
this  means  that  when  U'  is  executed,  its  selection  clause  must  be  false  in  all  the 
descendants  of  M.  This  means  that  the  conflict  predicted  by  the  new  arc  can 
never  materialize,  as  the  result  of  applying  U  and  U 1  to  Af  is  independent  of  the 
order  in  which  they  are  applied.  The  proof  is  symmetric  if  U'  lies  at  the  head  of 
the  new  arc  and  U2  at  the  tail. 

If  test  (2)  was  failed,  was  unsatisfiable.  By  the  arguments  of  Theorem 

4-1,  (a  A  <f>)<rBUl  will  also  be  unsatisfiable;  by  the  same  arguments,  after  any 
sequence  of  history  substitutions,  this  property  still  holds.  Therefore  if  H(U )  is 
true  in  a  model,  it  must  be  the  case  that  a  is  false  in  that  model,  and  therefore 
the  predicted  conflict  does  not  actually  occur  because  the  unification  needed  for 
the  dependency  does  not  take  place. 

Consider  the  split  of  Splitting  Rule  2.  The  same  argument  applies  to  H(U) 
as  for  Splitting  Rule  1.  As  H{U\)  is  not  an  implicit  or  explicit  subformula  outside 
of  U\  and  U2 ,  the  theorem  follows  for  that  type  of  split. 

The  case  of  Splitting  Rule  3  is  identical  to  that  of  Splitting  Rule  2. 

For  Splitting  Rule  4,  the  arguments  used  for  Splitting  Rule  1  eliminate  the 
possibility  that  any  new  arc  from  outside  could  have  a  history  atom  of  {<i>2)aBvl 
as  an  endpoint.  Therefore  if  there  is  a  new  arc  with  U2  as  an  endpoint,  it  must  be 
because  that  arc  formerly  failed  test  (2)  or  test  (3)  of  the  NAP  Algorithm  Step 
2,  and  now  passes  these  tests.  If  test  (2)  was  failed,  0  A(<f>iV  $2)  was  unsatisfiable, 
which  implies  that  aAfa  was  unsatisfiable.  By  the  arguments  of  Theorem  4-1, 
(cr  A  4>2)<tHv1  will  also  be  unsatisfiable.  And  if  test  (3)  was  failed  with  selection 
clause  <f>iV<j>2  for  U,  then  test  (3)  must  still  be  failed  when  the  selection  clause  is 
changed  to  <f>2-  It  follows  that  there  can  be  no  new  arcs  with  an  endpoint  in  C/2  - 

For  Splitting  Rule  5,  4>'  contains  no  non-equality  atoms,  so  there  are  no 
new  non-equality  atoms  in  U2  other  than  H(U).  By  the  argument  used  for 
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Splitting  Rule  1,  no  new  arc  can  have  H(U )  as  an  endpoint.  The  only  remaining 
possibility  is  that  some  substitution  now  passes  tests  (2)  and  (3)  of  Step  2  of  the 
NAP  Algorithm,  but  the  argument  used  for  Splitting  Rule  1  also  rules  that  out. 
We  conclude  that  Theorem  5-3  is  true.  0 

5.8.  Assertions 

To  drive  the  Lazy  Algorithm,  we  need  a  policy  on  when  updates  should  be  pro¬ 
cessed  and  executed.  At  the  very  least,  queries  should  force  the  execution  of  as 
many  updates  as  are  necessary  to  give  a  correct  answer  to  the  query.  But  update 
processing  and  execution  cannot  be  entirely  query-driven:  early  execution  or  at 
least  special  handling  is  required  for  assertions  that  are  entered  in  response  to  a 
query  rejection.  For  example,  if  the  user  is  told  that  a  query  about  an  employee 
cannot  be  executed  because  of  the  datom  Emp(e,  CSD),  the  user  might  assert 
the  value  of  e  and  then  reenter  the  query.  The  cost  estimation  function  must 
take  note  of  this  new  assertion  about  e  and  reduce  the  cost  estimates  of  pending 
updates  in  which  e  occurs.  Furthermore,  the  new  information  about  e  cam  be 
used  to  reduce  the  size  of  the  extended  relational  theory,  in  effect  retroactively 
reducing  the  cost  of  all  earlier  updates  that  contained  e!  Since  the  earlier  up¬ 
dates  have  become  more  affordable  than  they  originally  were,  their  estimated 
costs  should  be  decreased  in  accordance  with  the  savings  realized  in  T .  We  omit 
the  algorithm  for  this  aspect  of  lazy  evaluation. 

By  letting  update  execution  be  entirely  query— driven,  we  would  miss  some 
other  opportunities  to  reduce  the  size  of  the  extended  relational  theory  and  to 
reduce  the  cost  estimates  of  other  updates.  For  example,  it’s  a  good  idea  to 
execute  helpful  assertions  (ones  that  narrow  down  the  range  of  possible  values 
for  a  Skolem  constant)  right  away.  If  helpful  updates  are  being  blocked  from 
execution  by  expensive  ancestors  or  by  the  presence  of  expensive  datoms  in  the 
same  update,  it  may  be  worthwhile  to  use  the  Lazy  Algorithm  to  force  execution 
of  the  helpful  part  of  the  update,  rather  than  to  keep  it  waiting  in  the  wings  until 
query  processing  begins. 

Another  argument  for  early  execution  of  assertions  is  that  the  user  inter¬ 
face  routines  will  probably  force  processing  and  execution  of  as  many  pending 
assertions  as  possible  before  presenting  the  user  with  the  answer  to  a  query,  even 
though  not  all  assertions  need  be  executed  before  the  query  is  executed.  This  is 
necessary  if  the  most  exact  answer  to  a  query  is  to  be  given,  because  any  assertion 
can  eliminate  an  alternative  world  that  was  important  to  the  query,  and  in  the 
process  eliminate  some  candidate  answer  to  the  query. 

5.9.  The  Costs  and  Benefits  of  the  Lazy  Algorithm 

As  mentioned  earlier,  we  have  no  nice  worst— case  theorems  telling  when  a  query 
or  update  U  will  be  processable.  This  is  due  to  the  difficulty  of  splitting  the 
selection  clause  <t>  of  an  update;  if  <f>  were  as  easy  to  split  as  ui  is,  then  an  excellent 
characterization  would  be  possible  of  the  benefits  of  the  Lazy  Algorithm.  For  this 
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reason,  we  characterize  the  behavior  of  the  Lazy  Algorithm  for  a  certain  class  of 
selection  clauses  <j>.  This  characterization  depends  on  three  assumptions: 

Assumption  1.  The  non-interacting  4>  requirement:  Let  Q  be  the  in¬ 
coming  query  to  be  processed  by  the  Lazy  Algorithm.  Then  no  datom  that  is 
a  subformula  of  4>  of  any  proper  ancestor  of  Q  in  the  lazy  graph  can  also  be  a 
subformula  of  in  u>  of  another  ancestor  of  Q.  0 

Assumption  1  says  that  any  datom  read  by  a  parent  or  higher  ancestor  of 
Q  cannot  also  be  written  by  an  ancestor  of  Q. 

Assumption  2.  The  cost  estimation  function  must  satisfy  the  following 
equation  for  any  hyperedge  or  set  of  nodes  U  in  the  lazy  graph: 


!0,  /an  equality  atom; 

1,  /  a  history  atom; 

EstCost(/),  /  a  datom. 

For  a  particular  datom  node  /,  EstCost(/)  must  depend  only  on  the  cost  infor¬ 
mation  stored  at  that  node  in  the  lazy  graph.  0 

The  purpose  of  Assumption  2  is  to  ensure  that  the  cost  estimation  func¬ 
tion  does  not  depend  on  hard-to-handle  factors  such  as  the  number  of  update 
hyperedges  in  the  lazy  graph  or  the  distance  of  an  update  from  a  root  in  the  lazy 
graph.  This  is  needed  in  order  to  establish  a  simple  relationship  between  the 
estimated  cost  of  the  nodes  of  an  update  before  and  after  the  update  is  split. 

Assumption  3.  Judicious  use  of  history  atoms:  Let  Q  be  an  incoming 
query.  At  the  time  Q  is  added  to  the  lazy  graph,  every  history  atom  arc  in  the 
lazy  graph  must  have  one  endpoint  in  an  executed  update.  0 

History  arcs  should  rarely  prevent  execution  of  an  otherwise  affordable 
update.  The  purpose  of  a  history  arc  is  to  make  sure  that  a  history  atom  is 
defined  before  it  is  used;  a  split  of  U  into  U\  and  Ui  should  always  be  performed 
so  that  if  Ui  defines  the  history  atom  and  Ui  is  an  ancestor  of  the  query  or  update 
that  is  to  be  executed,  then  Ui  is  not  an  ancestor  solely  because  of  history  atom 
arcs.  For  example,  consider  the  update 

U :  INSERT  Emp(Reid,  e)AMgr(Nilsson,  CSD)  WHERE  Mgr(Kennedy,  EE) 
and  the  incoming  query 

Q:  INSERT  Q(Nilsson)  WHERE  Mgr(Nilsson,  CSD). 

Suppose  that  Emp(Reid,  e)  makes  U  too  expensive,  and  so  U  is  split  according 
to  Splitting  Rule  1  into 
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U\:  INSERT  Emp(Reid,  c)  WHERE  Mgr(Kennedy,  EE) 
and 

U2:  Mgr(Nilsson,  CSD)  WHERE  H(U). 

This  was  a  most  foolish  choice  of  splits,  because  Q  still  depends  on  U\  through 
a  history  atom  definition  arc  for  H(U).  Either  Mgr(Kennedy,  EE)  should  have 
been  used  as  the  selection  clause  of  U2,  or  else  Emp(Reid,  e)  should  have  been 
split  out  of  U  into  U2  rather  than  into  U\.  Any  reasonable  choice  of  splitting 
heuristics  should  satisfy  assumption  3. 

Theorem  5-4  below  gives  a  simple  sufficient  condition  for  queries  to  be 
accepted  by  the  Lazy  Algorithm.  First  a  bit  of  terminology:  For  any  wff  a,  let 
||a||  be  the  number  of  different  datoms  and  history  atoms  in  a. 

Theorem  5-4.  Let  Q  be  an  incoming  query.  If  assumptions  1,  2,  and  3 
axe  satisfied,  then  Q  will  be  accepted  by  the  Lazy  Algorithm  if  Q  is  affordable 
and  for  each  update  family  T  in  the  lazy  graph  that  contains  a  parent  of  Q,  the 
difference  between  the  cost  bound  for  T  and  the  amount  spent  so  far  on  executed 
updates  of  T  is  at  least 

J2  (EstCost +  ll^t/ll  -  2  +  (EstCost (/)  +  3)) .  0  5-10 

V*T  ' 

V  parent  of  Q  g^Q 

f~*9 


Theorem  5-4  implies  that  when  assumptions  1,  2,  and  3  are  satisfied,  there 
is  a  quick  test  for  acceptability  that  only  requires  looking  at  the  parents  of  the 
query,  rather  than  all  ancestors  of  the  query.  The  proof  of  the  theorem  will  show 
what  splits  to  use  to  achieve  this  bound. 


Proof  of  Theorem  5-4.  Let  us  examine  how  to  split  a  particular  parent 
U  of  Q  to  achieve  the  bound  in  formula  5-10.  Suppose  fi  through  f„  are  the 
datoms  of  uju  that  have  arcs  going  out  to  datoms  in  Q.  Then  first  split  U 
horizontally  according  to  Splitting  Rule  3,  removing  all  datoms  and  history  atoms 
of  b >u  from  u>Ui  except  /i  through  fn.  Then  U\  is  still  an  ancestor  of  Q,  with 
the  same  estimated  costs  for  its  nodes  as  those  nodes  had  in  U  before  the  split, 
by  assumption  2;  and  with  the  same  arcs  going  to  Q  as  went  from  U  to  Q.  U2, 
however,  is  not  an  ancestor  of  Q ,  by  assumption  1. 

The  next  step  is  to  separate  out  the  datoms  of  ujut  into  individual  updates. 
To  accomplish  this,  split  U2  n  —  1  times  according  to  Splitting  Rule  3,  removing 
datom  fi  from  U\  on  the  ith  split.  By  assumption  2,  these  splits  will  not  alter 
the  cost  information  for  any  node  of  a  split  update  that  originally  appeared  in 
U.  Note  that  there  is  no  need  to  define  a  new  history  atom  H(U )  at  each  split 
of  Splitting  Rule  3;  every  update  that  is  split  off  can  use  the  same  selection 
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clause  H(U ),  defined  by  U\  with  the  formula  H(U)*r-*<j>u-  This  optimization  was 
mentioned  earlier,  in  Remark  5-1.  The  small  savings  realized  through  reuse  of 
H{U )  has  been  included  in  formula  5-10. 

In  the  lazy  graph  resulting  from  this  second  round  of  splits,  there  are  n 
updates  split  off  from  U  that  are  now  ancestors  of  Q;  for  simplicity,  rename  the 
updates  in  the  graph  as  necessary  so  that  these  n  updates  are  called  U[  through 
U'n.  We  now  review  the  form  and  estimate  the  costs  of  U{  through  U'n,  beginning 
with  U[ . 

Only  one  datom  is  a  subformula  of  <*>(/' :  /„ .  All  other  datoms  of  a >u  have 
been  replaced  by  history  atoms  in  :  there  will  be  ||u>y||  —  1  different  history 
atoms  in  wy*.  By  assumption  2,  each  history  atom  has  an  estimated  cost  of  1. 
The  selection  clause  of  TJ[  is  the  same  as  that  for  U.  By  assumption  2,  it  follows 
that  EstCost(<^[//)  =  Est Cost («?!>(/).  U[  defines  a  new  history  atom  H(U),  using 
the  formula  H(U)<-*4>.  Therefore  the  estimated  cost  of  U[  is  no  more  than 

EstCost(/n)  +  (||u;{/||  —  1)  +  EstCost(^tz)  +  1. 

U%  through  U'n  all  take  the  form 

INSERT  (/  «  H(f,a))  A  ((V/?€*#  a)  -  «-  H(f,di )))V 

WHERE  H(U), 

for  some  constants  c,  and  dj,  where  5  is  the  set  of  datoms  remaining  in  u>  at  the 
time  /  is  being  split  out  of  uj.  This  form  has  an  upper  bound  on  estimated  costs 
of  EstCost(/)  -|-  3. 

Summing  the  estimated  costs  of  U\  through  Un  produces  an  upper  bound 
estimate  of 

EstCost(/„)  +  ( ||w[/ 1|  —  1)  +  EstCost(<£(/)  +  1  +  (EstCost(/j)  +  3), 

1  <*<n 


which  simplifies  to 

||u;{;||  —  2  +  EstCost(<£i/)  +  (EstCost(/j)  +  3).  5-11 

1  <i<n 

If  these  two  stages  of  splitting  are  applied  to  all  the  parents  of  Q,  then 
summing  formula  5-11  over  all  parent  families  gives  formula  5-10.  However, 
the  theorem  is  not  quite  proven:  Q  may  still  have  ancestors  in  the  lazy  graph 
other  than  its  parents.  It  will  require  two  more  rounds  of  splitting  to  remove 
these  undesirable  ancestors.  These  rounds  of  splits,  however,  will  not  change  the 
estimated  costs  of  the  parents  of  Q. 

Let  V  be  a  parent  of  Q  in  the  lazy  graph  after  the  first  two  rounds  of 
splitting.  To  eliminate  unwanted  ancestors  of  V,  let  <f>'  be  the  disjunction  of  all 
the  substitutions  labelling  arcs  that  go  from  V  to  Q.  Split  V  vertically  on  <f>' 
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according  to  Splitting  Rule  5,  producing  updates  Vi  and  Vj.  Splitting  V  with 
Splitting  Rule  5  does  not  change  the  cost  estimates  for  the  nodes  of  V,  because 
vertical  splitting  does  not  change  the  datoms  or  history  atoms  of  the  split  update. 

After  this  third  stage  of  splitting,  suppose  there  is  still  a  parent  A  of  V\ 
such  that  A  is  not  a  parent  of  Q.  Then  by  assumptions  1  and  3,  there  must 
be  a  datom  /  of  u>a  that  unifies  with  a  datom  f  of  u>u^  under  a  most  general 
substitution  a1.  Since  /'  is  the  only  datom  in  uux,  f  must  unify  with  some 
datom  g  of  Q  under  a  most  general  substitution  a.  Further,  by  definition  of  U\, 
a  must  be  one  of  the  substitutions  in  the  selection  clause  ft  of  4>ux  • 

<t>'  is  <f>u  A  \J  a. 

*60 

Since  A  is  a  parent  of  Vi,  by  Step  2  of  the  NAP  Algorithm  it  must  be  the 
case  that  <7'A<£t/A(V  »€<?  <r)  is  satisfiable;  therefore  for  some  choice  of  <r,  a1  Act 

must  be  satisfiable.  This  implies  that  /  unifies  with  g  under  substitution  o'  Act. 
Yet  A  is  not  a  parent  of  Q\  therefore  it  must  be  the  case  that  there  is  no  arc  from 
f  to  g  because  that  arc  fails  test  (2)  or  (3)  of  the  NAP  Algorithm  Step  2. 

First  consider  the  case  where  the  arc  fails  test  (3).  In  this  case  there  is  an 
equality  wff  a  such  that,  say,  4>a  logically  entails  a  and  4>q  logically  entails  ->a. 
Let  <t>'  be  the  wff  -> a,  and  split  Vi  vertically  with  Splitting  Rule  5  on  4>',  creating 
updates  V3  and  V4.  Then  by  test  (3)  of  the  NAP  Algorithm  Step  2,  V4  is  not  a 
parent  of  Q,  and  A  is  not  a  parent  of  V3.  Therefore  A  is  no  longer  an  ancestor  of 
Q  by  any  path  that  goes  through  V3  or  V4 . 

Now  consider  the  case  where  the  arc  from  /  in  A  to  g  in  Q  passed  test  (3) 
but  failed  test  (2)  of  Step  2  of  the  NAP  Algorithm.  In  this  case  either  a"  A<f>q 
or  a"  A4>a  must  be  unsatisfiable,  where  <t"  is  the  most  general  substitution  under 
which  /  and  g  unify.  A  simplified  diagram  of  the  relevant  portion  of  the  lazy 
graph,  including  the  illegal  sure  ff"  from  A  to  Q,  appears  in  figure  5-7 . 


Figure  5-7.  Portion  of  simplified  lazy  graph. 

Let  S  be  the  set  of  all  choices  for  <r",  that  is,  the  set  of  all  substitutions 
a"  such  that  /Gum,  g€Q,  and  f~l,»g.  Let  <f>'  be  V»«€E  *{<*"),  ^ere  t(ct")  is  cr" 
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if  (t"A4>a  is  unsatisfiable,  and  is  ~'<j"  otherwise.  Split  Vi  vertically  with  Splitting 
Rule  5  on  ft,  creating  updates  V3  and  V4.  We  will  now  show  that  there  is  no 
path  from  A  to  Q  through  V3  or  V4. 

Suppose  that  0" A4>q  is  unsatisfiable.  Then  4>q  logically  entails  ~'cr" .  Since 
a"  is  at  least  as  general  as  0,  ->a"  logically  entails  — «<r.  It  follows  that  cA<j>Q  is 
also  unsatisfiable.  Therefore  no  arc  labelled  0  can  go  from  V3  or  V4  to  Q,  by  test 
(2)  of  the  NAP  Algorithm  Step  2.  Further,  <j>ut  logically  entails  V<r»es  T(a")- 
Therefore  <f>u3  logically  entails  and  4>us  logically  entails  -><7  and  ~'(t'  as  well. 
We  conclude  that  there  can  be  no  arc  labelled  0  from  V3  to  Q  and  no  arc  labelled 
o'  from  A  to  V3,  when  0"  A4>q  is  unsatisfiable. 

Following  the  same  line  of  reasoning  when  0"  A<j>  a  is  unsatisfiable  leads  to 
the  conclusion  that  no  sire  labelled  0'  can  go  from  A  to  V3  or  V4,  no  arc  labelled 
0  can  go  from  V4  to  Q,  and  no  axe  labelled  o’  can  go  from  A  to  V4,  when  0" A<f>Q 
is  unsatisfiable. 

It  follows  that  the  only  arcs  between  A,  V3,  V4,  and  Q  fall  into  the  following 
three  classes: 

1.  Arcs  from  V3  to  V4. 

2.  Arcs  labelled  0  from  V3  to  Q,  when  0"  A<f> a  is  unsatisfiable. 

3.  Arcs  labelled  0'  from  A  to  V4,  when  0" A <j>q  is  unsatisfiable. 

Figure  5-8  depicts  a  simplified  lazy  graph  containing  A,  V3,  V4,  Q,  the 
phantom  arc  0"  from  A  to  Q,  and  for  clarity  V  and  its  arcs  as  well,  though  of 
course  the  Splitting  Algorithm  would  have  removed  V  from  the  lazy  graph  before 
V3  and  V4  were  inserted. 


Figure  5-8.  Portion  of  simplified  lazy  graph. 


Note  that  there  is  no  path  from  A  to  Q  via  V3  or  V4.  Therefore  after 
applying  this  final  round  of  splitting  to  all  ancestors  of  Q  that  are  not  parents  of 
Q,  all  such  ancestors  will  no  longer  be  ancestors  of  Q,  and  the  theorem  follows. 
0 
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An  improvement  to  this  theorem  immediately  suggests  itself.  Read/write 
dependency  arcs  coming  into  an  update  need  not  prevent  execution  of  that  up¬ 
date,  because  history  predicates  can  be  used  as  a  versioning  mechanism  to  elim¬ 
inate  the  read/write  conflicts.  This  means  that  it  is  quite  possible  to  execute 
updates  in  the  lazy  graph  without  following  a  pure  topological  sort,  as  read/write 
arcs  need  not  determine  execution  order.  For  example,  if  update  Ui  is  INSERT 
Emp(Reid,  CSD)  WHERE  Emp(Reid,  CSL),  and  update  U2  is  INSERT  ->Emp(Reid, 
CSL)  WHERE  T,  then  there  is  a  read/write  conflict  between  U\  and  tT^-  However, 
U2  can  be  executed  ahead  of  U\  as  long  as  Ui  reads  /f(Emp(Reid,  CSL),  U2) 
rather  than  Emp(Reid,  CSL). 

The  situation  is  a  bit  more  complex  if  the  read/ write  dependency  arc  has 
a  substitution  label  other  than  T.  For  example,  if  Ui  were  INSERT  Emp(Reid, 
CSD)  WHERE  Emp(Reid,  e),  then  Ui  could  not  get  by  with  reading  H’(Emp(Reid, 
e),  U2),  for  ff(Emp(Reid,  e),  U2)  may  be  true  in  models  where  Emp(Reid,  e) 
never  was  true.  This  anomaly  can  occur  whenever  Emp(Reid,  e)  is  not  already  a 
subformula  of  T  at  the  time  U2  is  executed.  The  solution  is  for  U\  to  be  replaced 
by  INSERT  Emp(Reid,  CSD)  WHERE  (Emp(Reid,  e)A  (e  ^CSL))  V(ff(Emp(Reid, 
e),  U2)A  (e  =CSL)),  if  U2  is  executed  before  U\. 

5.10.  Summary  and  Conclusion 

As  noted  in  Chapter  3,  the  Update  Algorithm  may  lead  to  excessive  increases 
in  the  size  of  an  extended  relational  theory  T  as  expensive  updates  are  incorpo¬ 
rated  into  7*.  To  control  the  growth  of  7*,  we  propose  a  scheme  of  lazy  evaluation 
for  updates.  Lazy  evaluation  strictly  bounds  the  growth  of  the  extended  rela¬ 
tional  theory  caused  by  each  update,  via  user-specified  limits  on  permissible  size 
increases.  Under  lazy  evaluation,  an  overly-expensive  update  U  will  be  stored 
away  rather  than  executed,  in  the  hopes  that  new  information  on  costly  null 
values  will  reduce  the  expense  of  executing  U  before  the  information  contained 
in  U  is  needed  for  an  incoming  query.  If  an  incoming  query  unavoidably  de¬ 
pends  on  the  results  of  an  overly  expensive  portion  of  an  update,  the  query  must 
be  rejected,  as  there  is  no  way  to  reason  about  the  information  in  the  update 
other  than  by  incorporating  it  directly  in  the  extended  relational  theory.  When 
a  query  is  rejected,  the  originator  of  the  query  is  notified  of  the  exact  reasons  for 
the  rejection.  The  query  may  be  resubmitted  once  the  range  of  possible  values  of 
the  troublesome  nulls  has  been  narrowed  down.  The  bottom  line  for  an  efficient 
implementation  of  updates,  however,  is  that  null  values  should  not  be  permit¬ 
ted  to  occur  as  attribute  values  for  attributes  heavily  used  in  update  selection 
clauses — particularly  those  used  as  join  attributes. 
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Chapter  6:  Enforcement  of  Dependency  Axioms 


Until  now,  we  have  considered  extended  relational  theories  without  type 
axioms  (an  encoding  of  the  schema  of  the  database)  and  dependency  axioms 
(e.g.,  functional  and  multivalued  dependencies  [Ullman  82]),  because  the  compli¬ 
cations  introduced  by  those  axioms  axe  orthogonal  to  the  other  issues  in  updating 
extended  relational  theories. 

Dependency  axioms  can  play  a  number  of  roles  in  ordinary  relational  data¬ 
bases  during  updates.  A  policy  decision  must  be  made  for  each  axiom,  based  on 
the  intended  semantics  of  the  axiom.  If  a  requested  update  would  lead  to  a 
database  state  that  violated  the  axiom,  then  the  database  management  system’s 
possible  enforcement  policies  include  rejecting  the  update;  performing  the  update 
and  also  making  additional  changes  in  the  database  to  make  it  obey  the  axiom; 
and  performing  the  update  and  ignoring  the  temporary  inconsistency.  In  data¬ 
bases  with  incomplete  information,  dependency  axioms  play  another  important 
role,  that  of  identifying  and  eliminating  “impossible”  alternative  worlds.  For  ex¬ 
ample,  if  a  manager  can  only  manage  one  department  at  a  time  and  we  know 
that  Mgr(Nilsson,  CSD)V  Mgr(Nilsson,  EE)  is  true,  then  the  alternative  world 
where  Nilsson  manages  both  CSD  and  EE  is  inconsistent  with  the  axiom  and 
can  be  eliminated  out  of  hand.  As  yet  another  possible  enforcement  policy,  if 
a  requested  update  would  create  alternative  worlds  that  violate  the  axiom  and 
the  update  is  known  to  be  correct,  then  the  axiom  can  be  changed.  This  policy 
is  implemented  in  Step  1  of  the  Update  Algorithm,  for  the  completion  axioms. 
These  axiom  enforcement  policies  are  summarized  in  Table  6-1. 

All  five  of  these  axiom  enforcement  policies  are  reasonable;  the  correct 
choice  of  a  policy  for  a  particular  axiom  depends  on  the  semantics  of  the  axiom 
and  the  database,  and  we  delegate  this  decision  to  a  higher  authority,  such  as  the 
database  administrator.  The  remainder  of  this  chapter  presents  a  mechanism  to 
enforce  axioms  by  permanently  weeding  out  impossible  alternative  worlds  (called 
strict  enforcement),  to  be  employed  as  the  database  administrator  sees  fit.  En 
route  we  will  point  out  how  to  perform  passive  enforcement,  that  is,  to  ignore 
temporary  inconsistencies  between  the  theory  body  and  its  axioms — perhaps  not 
a  logically  sound  procedure,  but  one  used  daily  by  humans  with  spectacular 
success. 

We  begin  by  defining  the  class  of  type  and  dependency  axioms  under  con¬ 
sideration  here,  then  explain  what  kind  of  axiom  enforcement  is  provided  by 
Versions  I  and  II  (presented  in  Chapters  3  and  4,  respectively)  of  the  Update 
Algorithm,  and  extend  the  Update  Algorithm  to  provide  strict  axiom  enforce¬ 
ment.  To  simplify  the  presentation  of  this  material,  all  updates  are  assumed  to 
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If  an  update  U  applied  to  alternative  world  A  would  create  an 
alternative  world  A'  that  violates  axiom  a,  then  . . . 

1.  Reject  U. 

2.  Make  additional  changes  in  A'  so  that  it  does  not  violate  a. 

3.  Ignore  the  temporary  inconsistency  and  permit  a  later  update  U'  to  remove 
the  violation  of  a  in  A'. 

4.  Eliminate  A'  permanently. 

5.  Change  a. 

Table  6-1.  Axiom  enforcement  policies. 

be  variable-free,  and  Version  I  of  the  Update  Algorithm  will  be  used  as  the  point 
of  departure. 

6.1.  Extended  Relational  Theories  with  Type  and  Dependency 
Axioms 

Type  axioms  encode  the  relationship  between  predicates  and  attributes,  so  that, 
for  example,  given  that  Emp(Reid,  CSD)  is  true,  it  follows  that  Reid  must  be  an 
element  in  the  employee  domain  and  CSD  must  be  a  department.  Type  axioms 
are  useful  for  controlling  the  effects  of  negation  and  ensuring  that  queries  and 
updates  are  safe.*  For  example,  Reiter  [84b]  suggests  that  all  constants,  Skolem 
constants,  and  variables  occurring  in  queries  should  be  typed  so  that  the  query 
will  be  safe.  System  R  [Chamberlain  76]  and  INGRES  [Stonebraker  85]  employ 
a  similar  mechanism  on  a  higher  level  by  requiring  RANGE  OF  and  SELECT  FROM 
statements  for  all  the  tuple  variables  of  requests. 

For  a  formal  definition  of  type  axioms,  distinguish  a  particular  set  A  of 
unary  predicates  of  £  as  the  attributes  of  C.  For  each  n-ary  predicate  R  not  in 
A,  an  extended  relational  theory  T  with  type  axioms  must  contain  exactly  one 
axiom  of  the  form 


Vxi  •  •  •  Vxn(R(xi , . . . , x„)  — *  (Ai(xi )  A  •  •  •  A  A„(x„))), 

where  Ai , . . . ,  An  are  predicates  in  A.  Further,  each  predicate  in  A  must  appear 
in  one  or  more  type  axioms. 

Strict  enforcement  of  type  axioms  may  be  painful  if  experienced  directly 
by  users.  For  example,  rather  than  just  requesting  IHSERT  Emp(Reid,  CSD) 
WHERE  T,  under  strict  enforcement  the  user  must  remember  to  ensure  that 
Reid  and  CSD  axe  elements  in  the  correct  domains:  INSERT  Emp(Reid,  CSD)A 
Employee(Reid)A  Depaxtment(CSD)  WHERE  T.  A  better  alternative  is  to  enforce 
the  type  axioms  through  axiom  modification,  as  is  done  for  the  completion  ax¬ 
ioms:  to  modify  the  type  axioms  during  the  update  so  that  the  update  cannot 
violate  them. 

t  A  domain  completion  axiom  can  be  employed  to  the  same  end. 
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The  definition  of  extended  relational  theories  must  be  extended  to  include 
a  set  of  universally  quantified  axioms  that  axe  to  be  strictly  enforced  ( strict 
axioms,  for  short).  As  far  as  the  Update  Algorithm  is  concerned,  all  strict  axioms 
can  be  lumped  together  in  a  Strict  Axiom  section  of  the  extended  relational 
theory.  So  in  addition  to  a  body  and  a  set  of  completion  axioms,  items  1  and  2 
in  the  definition  of  an  extended  relational  theory  in  Section  3.1,  every  extended 
relational  theory  T  now  includes  a  third  section: 

3.  Strict  Axioms:  A  set  of  strictly  enforceable  (to  be  defined  in  Section  6.3) 

universal  sentences  not  containing  history  predicates.  0 

For  example,  a  typical  functional  dependency  would  be  VxiVx2Vx3 
((Emp(xi ,  x2)  A  Emp(xi ,  x3))  -►  ( x2  =  x3)). 

Some  universal  sentences  not  containing  history  predicates  will  be  too  ex¬ 
pensive  to  enforce  easily,  and  these  are  excluded  from  the  strict  axiom  section. 
Section  6.3  will  single  out  the  affordable  axioms  in  its  definition  of  strict  enforce¬ 
ability.  We  do  not  present  that  definition  here  because  it  relies  on  intuitions  that 
will  be  developed  in  later  sections. 

6.2.  Semantics  of  Updates  Revisited 

The  semantics  of  updates  must  be  augmented  with  one  additional  proviso  for 
strict  enforcement  of  axioms:  Every  model  M1  in  U(M)  must  satisfy  the  strict 
axioms  ofT.  In  the  proofs  below,  this  new  provision  is  referred  to  as  rule  3  in  the 
definition  of  INSERT,  to  be  appended  to  rules  1  and  2  of  the  original  definition: 

(3)  for  all  strict  axioms  a  of  T,  a  is  true  in  M! . 

A  particular  update  algorithm  strictly  enforces  a  for  an  update  U  if 
for  every  extended  relational  theory  T,  rule  3  is  satisfied  by  all  members  of 
Worlds(U(T)).  For  the  remainder  of  this  chapter,  “enforcement”  will  mean  strict 
enforcement  tinless  otherwise  noted. 

In  this  discussion,  the  strict  axioms  will  be  permanently  fixed  for  each 
database  schema.  It  is  trivial  to  extend  the  types  of  updates  permitted  to  allow 
addition  of  new  dependencies,  constants,  or  relations. 

6.3.  The  Update  Algorithm  Revisited 

What  sort  of  axiom  enforcement  is  provided  by  the  Update  Algorithm  Version  I? 
Suppose  the  extended  relational  theory  body  consists  of  the  wffs  Emp(Reid,  EE) 
and  Emp(Reid,  CSD)V  Mgr(Nilsson,  CSD).  If  there  is  a  functional  dependency 
stating  that  an  employee  can  be  in  at  most  one  department  at  a  time,  then 
some  models  of  the  body  of  this  theory  are  inconsistent  with  that  functional 
dependency,  and  will  not  be  models  of  the  theory  containing  that  functional 
dependency  as  a  strict  axiom.  It  follows  that  in  every  alternative  world  of  the 
full  theory  containing  that  axiom,  Nilsson  is  the  manager  of  CSD.  Unfortunately, 
when  using  the  Update  Algorithm  Version  I,  a  later  update  may  “rescue”  the 
alternative  worlds  where  Reid  is  in  two  departments  and  pop  them  back  into 
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existence.  In  the  current  example,  a  new  update  INSERT  ->Emp(Reid,  EE)  WHERE 
T,  when  processed  according  to  the  Update  Algorithm,  would  blithely  produce 
alternative  worlds  where  Nilsson  is  not  the  manager  of  CSD,  though  these  worlds 
are  in  fact  impossible  if  the  axiom  and  update  are  interpreted  strictly. 

These  “rescued”  worlds  arise  because  the  versions  of  the  Update  Algorithm 
seen  so  far  enforce  the  department  axiom  passively,  merely  using  it  to  shape 
answers  to  queries  at  the  current  moment.  This  passive  enforcement  allows  the 
update  INSERT  ~'Emp(Reid,  EE)  WHERE  T  to  rescue  the  alternative  world  where 
Reid  is  in  both  CSD  and  EE  and  make  its  descendant  a  legitimate  world  for  future 
computations.  In  general,  any  time  an  update  removes  all  axiom  violations  from 
an  “impossible”  alternative  world,  Versions  I,  II,  and  III  of  the  Update  Algorithm 
will  rescue  the  descendants  of  that  alternative  world. 

As  mentioned  in  the  introduction  to  this  chapter,  passive  enforcement  will 
be  the  best  choice  for  some  applications,  and  when  passive  enforcement  is  desired, 
then  the  update  algorithms  of  previous  chapters  may  be  used.  If  an  axiom  is  to  be 
strictly  enforced,  however,  then  the  alternative  worlds  produced  by  these  update 
algorithms  will  be  incorrect.  In  the  remainder  of  this  chapter,  we  consider  how 
to  alter  the  Update  Algorithm  to  move  from  passive  to  strict  enforcement:  how 
to  eliminate  forever  the  alternative  world  where  Reid  is  in  both  CSD  and  EE. 

Proposition  6-1  suggests  a  means  of  axiom  enforcement  through  instanti¬ 
ation  of  axioms. 

Proposition  6-1.  Let  T  be  an  extended  relational  theory  and  let  T +a  be 
that  theory  plus  a  universal  sentence  a  without  history  predicates,  to  be  strictly 
enforced.  If  Worlds(T)  =  Worlds(T +a),  then  the  Update  Algorithm  Version  I 
will  strictly  enforce  a  on  the  next  update  U  applied  to  T +a.  0 

Proof  of  Proposition  6-1.  By  definition  all  models  that  are  produced 
by  the  Update  Algorithm  do  satisfy  a.  The  worry  is  that  some  model  produced 
might  not  be  descended  from  a  model  that  satisfies  a.  Let  T'  be  the  theory 
produced  from  T  by  the  Update  Algorithm  Version  I.  For  the  alternative  world 
of  a  model  M'  of  T'  to  be  produced  by  U,  M'  must  be  derived  from  a  model  M 
that  satisfies  T,  as  proved  in  Theorem  4-1.  Then  by  assumption  M  also  satisfies 
a,  so  M.1  is  descended  from  a  model  of  T+a.  <0> 

This  proposition  immediately  suggests  one  means  of  axiom  enforcement. 
If  variables  are  allowed  to  occur  in  the  body  of  the  extended  relational  theory, 
as  in  Section  4.4,  one  can  keep  a  copy  of  the  dependency  axiom  in  the  body 
of  the  theory  at  all  times,  and  the  axiom  will  always  be  strictly  enforced.  In 
the  remainder  of  this  discussion,  we  assume  that  variables  are  not  permitted  to 
occur  in  the  body  of  the  extended  relational  theory.  The  variable-free  case  is 
important  because  management  of  very  large  volumes  of  data  relies  on  regularity 
and  simplicity  of  the  data  to  allow  efficient  access  to  and  inference  from  the  data. 
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When  variables  appear  in  the  body  of  the  theory  rather  than  solely  in  its  axioms, 
the  assumptions  of  regularity  and  simplicity  must  be  abandoned,  and  processing 
costs  will  rise  steeply. 

To  ensure  that  the  alternative  worlds  of  T +a  are  the  same  as  those  of  T, 
at  first  glance  it  might  seem  sufficient  to  add  a  ground  instantiation  (a)**  of  a 
to  T  for  every  substitution  a  of  constants  and  Skolem  constants  such  that  (<*)<, 
is  not  valid.  Unfortunately,  this  assumption  is  flawed  on  two  accounts.  First, 
there  may  be  elements  in  the  universe  that  are  not  named  by  any  constants  or 
Skolem  constants  in  T.  It  is  not  possible  to  instantiate  the  axiom  with  these 
elements,  yet  they  must  be  considered:  the  user  might  pose  a  yes/no  query  using 
only  symbols  in  C  that  would  detect  rescues  of  worlds  involving  these  unnamed 
elements. **  As  shown  below,  the  completion  axioms  will  help  to  prevent  this 
anomaly. 

Second,  even  if  all  elements  in  the  universe  are  named  by  constants  or  ref¬ 
erenced  by  Skolem  constants,  there  may  be  an  infinite  number  of  these  constants, 
and  an  infinite  number  of  instantiations  may  be  needed  to  enforce  a.  Infinite  the¬ 
ory  bodies  are  unpleasant  to  contemplate.  Fortunately,  the  fact  that  only  a  finite 
number  of  datoms  can  be  true  at  any  given  moment  will  make  it  unnecessary  to 
resort  to  infinite  theory  bodies. 

To  see  why  only  a  finite  number  of  instantiations  of  a  strict  axiom  a  are 
needed  to  prevent  the  rescue  of  a  model,  let  Ad  be  a  model  of  T  that  fails  to 
satisfy  a.  Then  Ad  fails  to  satisfy  (a)b,  for  some  binding  b  of  all  the  variables 
of  a  to  universe  elements  of  Ad.W  Let  a  be  the  Skolem  constant  substitution 
for  Ad  with  respect  to  T.  Create  0  by  replacing  every  datom  of  (ot)t,  that  does 
not  appear  in  (T)a  by  the  truth  value  F,  and  0  is  false  in  Ad.  Now  the  set  of  all 
possible  bindings  b  is  infinite,  giving  an  infinite  number  of  possible  (a)frS,  but  the 
set  of  all  possible  0s  is  finite  because  T  is  finite.  Further,  the  universe  elements 
appearing  in  0  are  all  named  by  constants  or  Skolem  constants  in  £,  because  all 
those  elements  appear  in  {T)a.  Let  Inst(o)  be  the  finite  set  of  0s  for  Ad.  Then 
adding  Inst(o)  to  T  will  prevent  Ad  from  being  rescued  by  any  incoming  update. 

At  this  point  it  may  seem  once  again  that  our  task  is  complete:  we  have 
shown  how  to  prevent  Ad  from  being  rescued  by  adding  a  finite  set  of  formulas 
Inst(a)  to  T.  Further,  although  T  may  have  an  infinite  number  of  models  Ad, 
there  are  only  a  finite  number  of  possible  formulas  for  Inst(a),  so  this  technique 

t  For  a  a  universal  sentence  in  prenex  form  with  prefix  Vxi  •  •  •  Vzn,  and  cr  a  substitution 
of  the  form  c,1  •••?”,  (®)<r  is  the  wff  obtained  from  a  by  removing  a’s  prefix  and  then  applying 
<r.  A  substitution  for  a  subset  of  the  variables  of  a  is  defined  analogously. 

tt  Example:  Axiom  is  Vx(f?(a)  —  R(x)),  body  of  T  is  initially  empty,  as  always  C  contains 
an  infinite  number  of  Skolem  constants,  and  the  universe  contains  two  elements,  of  which  only 
a  is  named  in  C.  If  the  user  requests  INSERT  i2(a)  WHERE  T,  followed  by  INSERT  -<R(a)  WHERE  T, 
then  the  resulting  theory  should  have  no  alternative  worlds,  as  the  first  update  eliminates  them 
all,  due  to  the  completion  axioms.  But  no  matter  what  set  of  formulas  an  update  algorithm 
adds  to  the  body  of  T,  the  wff  ->R(e)  will  be  consistent  with  the  new  body. 

tt*  As  usual,  (a)j,  is  not  a  proper  object:  strictly  speaking,  we  should  extend  C  or  at  least 
map  all  of  a  to  the  corresponding  elements  and  relations  in  Ad.  As  in  previous  chapters,  this 
hybrid  notation  will  be  used  freely. 
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can  be  extended  to  prevent  rescues  of  all  models.  Unfortunately,  there  are  two 
obstacles  to  implementation  of  this  scheme: 

1.  Exactly  which  formulas  are  in  Inst(a)?  The  set  of  formulas  in  Inst(at)  may 
depend  on  the  universe  of  M.  How  can  this  be  predicted  efficiently? 

2.  Do  the  same  formulas  occur  in  Inst(a)  for  every  choice  of  M?  If  not,  how 
can  the  different  sets  be  merged  into  one  large  set  for  inclusion  in  the  body 
of  T? 

If  different  formulas  occur  for  different  choices  of  M. ,  then  one  cannot  just 
add  Inst(a)  to  the  body  of  T  without  changing  the  models  of  T.  For  example, 
let  C  contain  a  single  constant  a,  and  let  a  be  Vr(i?(a)  — +  R(x)).  If  the  body 
of  T  is  the  single  wff  R(a),  then  T  has  one  model,  where  a  is  the  only  element 
of  the  universe.  Let  AA.  be  a  model  of  T—a  in  which  R(a)  is  true  and  the 
universe  contains  two  elements,  say  a  and  6.  Then  an  appropriate  instantiation 
of  a  that  will  prevent  M  from  being  rescued  by  the  update  INSERT  ~'R(a)  WHERE 
T  is  the  wff  H(a)— *F.  But  adding  this  wff  to  the  body  of  T  would  eliminate  the 
one  legitimate  model  of  T. 

There  are  certain  cases  where  questions  (1)  and  (2)  above  have  easy  an¬ 
swers.  For  example,  if  the  universes  of  all  models  of  T  are  isomorphic,  then  the 
Inst  (a)  constructed  for  one  model  AA  is  identical  to  that  constructed  for  every 
other  model.  There  are  two  ways  of  guaranteeing  essentially  identical  universes: 
either  include  a  domain  completion  axiom  in  T  (Vx((x  =  c j)  V  •  •  •  V  (x  =  cm))t, 
where  each  c,-  is  a  constant)  and  thereby  standardize  the  universe;  or  else  guar¬ 
antee  that  the  universe  of  every  model  is  infinite,  by  including  an  infinite  set  of 
constants  in  C.  In  this  latter  case,  universes  may  vary  greatly  from  model  to 
model,  but  every  universe  is  guaranteed  to  be  sufficiently  large  that  Inst(a)  will 
contain  the  same  wffs  for  every  model,  giving  an  answer  to  question  (1).  Further, 
with  respect  to  question  (1),  in  the  case  of  an  infinite  universe  it  is  easy  to  gen¬ 
erate  Inst(a),  because  Inst(a)  contains  every  possible  instantiation  of  a,  roughly 
speaking. 

In  the  case  where  T  includes  a  domain  completion  axiom,  question  (2) 
has  an  easy  answer:  there  is  a  reasonable  way  of  constructing  Inst(a)  such  that 
Inst(a)  is  the  same  for  all  models  of  T.  (Note  that  no  Skolem  constants  can 
appear  in  this  domain  completion  axiom;  otherwise,  the  universe  would  not  nec¬ 
essarily  be  standard  across  all  models  of  T.)  However,  question  (1)  remains 
unanswered:  exactly  which  formulas  are  in  Inst(a)?  As  will  be  shown  after  the 
presentation  of  the  new  Update  Algorithm,  it  takes  time  polynomial  in  the  size 
of  T  and  the  domain  to  determine  whether  a  particular  formula  is  in  Inst  (a). 
The  problem  is  A/’77-complete  if  the  number  of  variables  in  a  is  also  part  of  the 
input;  but  since  the  number  of  variables  in  a  is  in  practice  small  and  bounded, 
this  is  not  cause  for  alarm. 

t  Domain  completion  axioms  conflict  with  the  requirement  of  Section  3.1.1  that  £  contain 
an  infinite  number  of  constants.  This  requirement  is  present  to  insure  that  one  will  always  be 
able  to  find  a  history  atom  H(f,  U)  that  does  not  unify  with  any  history  atom  in  the  body  of  T. 
If  £  contains  only  a  finite  set  of  constants,  as  implied  by  a  domain  completion  axiom,  then  the 
whole  system  must  come  to  a  pause  if  the  Update  Algorithm  runs  out  of  “new”  history  atoms. 
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Why  might  it  be  expensive  to  test  a  candidate  formula  0  for  membership 
in  Inst(a)?  One  must  test  whether  there  exists  a  substitution  a  over  £  such  that 
0  may  be  obtained  from  (a)*  through  replacing  by  F  all  datoms  of  (a),,  that  do 
not  unify  with  any  atom  of  T.  In  general,  this  may  require  exhaustive  generation 
and  testing  of  potential  as.  The  problem  may  be  formalized  as  that  of  finding 
a  set  of  assignments  to  variables  from  a  finite  domain  given  certain  forbidden 
combinations  of  assignments.  Since  the  number  of  possible  substitutions  is  mn 
for  a  domain  of  size  m  with  n  variables  in  a,  a  generate-and-test  strategy  gives 
an  algorithm  that  is  polynomial  in  the  size  of  T  and  the  domain,  but  still  quite 
expensive.  On  the  other  hand,  in  practice  one  expects  the  domain  to  be  very 
large,  and  the  datoms  of  T  to  be  sparse  within  the  cross  product  of  the  domain, 
making  it  very  likely  that  a  suitable  substitution  a  can  be  found  quickly,  if  one 
exists.  More  will  be  said  on  this  issue  after  the  presentation  of  the  new  Update 
Algorithm. 

Setting  constraints  on  the  universe  is  not  the  only  way  to  achieve  enforce¬ 
ability.  For  example,  a  strict  axiom  can  only  cause  rescues  if  it  contains  data 
predicates;  if  there  axe  no  data  predicates  in  a,  then  a  is  trivially  enforceable,  as 
even  the  Update  Algorithm  Version  I  will  enforce  a.  For  example,  suppose  T  is 
an  extended  relational  theory  and  a  a  domain  completion  axiom.  Let  Ad  be  a 
model  of  T  that  violates  a.  No  update  to  M  can  remove  that  axiom  violation, 
because  a  contains  no  atomic  formulas  whose  truth  valuations  could  be  changed 
in  M  to  effect  a  rescue. 

There  is  one  other  type  of  axiom  where  questions  (1)  and  (2)  have  easy 
answers.  Interestingly,  this  class  encompasses  the  axioms  of  traditional  interest, 
such  as  functional  dependencies  and  multivalued  dependencies.  The  key  feature 
of  this  axiom  type  is  that  an  instantiation  (a) &  of  such  an  axiom  a  is  guaranteed 
to  be  valid  if  any  variable  of  a  is  bound  to  a  universe  element  not  named  in  £. 
If  (a)j  is  valid,  then  no  model  can  violate  (a)j,,  and  hence  there  is  no  need  to 
include  (a)*  in  Inst(a). 

Strict  axioms  that  are  easy  to  enforce  are  called  enforceable: 


Definition.  A  universal  sentence  a  not  containing  history  predicates  is 
strictly  enforceable  if  any  of  the  following  four  conditions  is  satisfied. 

1.  a  contains  no  data  predicates. 

2.  £  contains  an  infinite  set  of  constants. 

3.  Among  its  completion  axioms,  T  contains  a  domain  completion  axiom 
Vi((x  =  Ci)  V  •  •  •  V  (i  =  cm)),  for  each  c*  a  constant. 

4.  For  x  a  variable  of  a,  (a)  substitute  x  for  a  subset  5  of  the  variables  of  a, 
creating  0\  (b)  replace  the  atomic  formula  x  =  x  by  T  wherever  it  occurs 
in  0 ;  and  (c)  replace  any  other  atomic  formulas  of  0  containing  x  by  the 
truth  value  F.  If  0  is  valid  for  all  choices  of  x  and  5,  then  a  is  strictly 
enforceable.  0 
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Please  note  that  if  0  in  condition  4  is  logically  equivalent  to  a ,  then  though 
a  fails  to  be  strictly  enforceable,  a  can  be  replaced  by  the  equivalent  and  sim¬ 
pler  axiom  0,  and  0  may  well  be  strictly  enforceable.  For  example,  VxVyVz 
Vu>(((Emp(x,y)  AEmp(x,  z))—*(y=z)) A  (Emp(u>,  ti>)V-<Emp(it>,  w )))  fails  to  meet 
condition  4  because  of  w,  but  in  this  case  0  is  logically  equivalent  to  VxVyVz 
((Emp(x,y)  A  Emp(x,z))  — ►  (y  =  z)),  which  is  strictly  enforceable  because  it 
satisfies  condition  4. 

As  mentioned  earlier,  most  common  types  of  dependencies  with  semantics 
that  are  suitable  for  strict  enforcement  satisfy  condition  4.  For  example,  all 
functional  dependencies  and  multi-valued  dependencies  satisfy  condition  4.  To 
see  this,  consider  the  dependency  VxVyVz((Emp(x,y)  A  Emp(x,z))  — ►  (y  =  z)). 
If  the  atomic  formulas  over  any  one  variable  are  false,  then  the  preconditions  of 
the  implication  are  false,  and  therefore  the  axiom  is  satisfied.  On  the  other  hand, 
an  axiom  stating  that  an  employee  must  be  in  every  department  save  possibly 
one — VxVyVz((->Emp(x,  y)  A  -«Emp(x,  z))  — ►  (y  =  z)) — does  not  meet  condition 
4,  as,  for  example,  VxVyVz  ((T  A  -’Emp(x,  z))  — ►  F)  is  not  valid;  nor  is  it  logically 
equivalent  to  the  original  axiom. 

If  a  potential  strict  axiom  a  does  not  meet  conditions  1,  2,  3,  or  4,  then 
questions  (1)  and  (2)  above  do  not  have  easy  answers.  Section  6.5  presents  a 
method  of  enforcing  such  axioms,  using  a  rather  painful  method  of  instantiation. 

We  are  now  ready  to  extend  the  Update  Algorithm  to  handle  strictly 
enforceable  axioms  a.  The  technique  for  preventing  rescues  of  alternative  worlds 
that  violate  a  has  already  been  presented:  a  finite  set  Inst(a)  of  “instantiations” 
of  a  is  constructed  and  added  to  T.  At  this  point  it  only  remains  to  present 
an  efficient  method  of  generating  the  set  Inst(a).  This  will  be  accomplished  by 
Step  1  of  the  new  Update  Algorithm,  which  instantiates  the  strict  axioms  with  a 
subset  of  the  constants  and  Skolem  constants  in  the  body  of  T.  In  Step  3  those 
instantiations  will  be  added  to  the  body  of  T.  The  key  point  of  Step  1  is  to 
instantiate  the  axioms  as  few  times  as  possible,  to  minimize  the  size  of  T' .  One 
would  like  to  instantiate  the  axioms  so  as  to  produce  only  datoms  that  unify  with 
datoms  already  in  T ;  since  all  other  datoms  are  known  to  be  false,  they  can  be 
replaced  by  the  truth  value  F  in  the  instantiation.  In  fact  this  is  exactly  what 
Step  1  does,  albeit  a  bit  more  conservatively. 

The  goal  of  minimizing  the  size  of  Inst  (a)  leads  to  a  complicated  instan¬ 
tiation  process  for  a.  Step  1  is  an  iterative  process,  where  successively  more 
variables  of  a  are  carefully  bound.  Step  1  is  difficult  to  understand,  and  for 
that  reason  several  parenthetical  remarks  are  included  in  the  presentation  of  the 
algorithm. 

Steps  2,  4,  5,  and  6  in  the  new  version  of  the  Update  Algorithm  are 
identical  or  nearly  identical  to  Steps  1,  2,  3,  and  4,  respectively,  of  the  Update 
Algorithm  Version  I. 


The  Update  Algorithm  (Version  IV) 
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Input.  An  extended  relational  theory  T,  including  a  strict  axiom  section,  and  a 
ground  update  U. 

Output.  T',  an  updated  version  of  T. 

Procedure.  A  sequence  of  six  steps: 

Step  1.  Instantiate  strict  axioms.  This  step  constructs  the  set  of  wffs  Inst  (a) 
for  each  strict  axiom  a.  (Examples  of  the  operation  of  Step  1  appear  at  the  end 
of  the  presentation  of  the  algorithm.)  Let  Inst(a)  contain  the  set  of  all  wifs  (a), 
constructed  as  follows: 

a.  Choose  initial  binding.  Choose  a  datom  /  in  u>  and  an  atomic  formula  g 
in  q  such  that  /  and  g  unify  under  a  most  general  substitution  o' .  Let 
<r  be  a  substitution  containing  just  the  substitutions  for  variables  in  o'. 
(Intuitively,  Step  la  guarantees  that  some  datom  of  u  appears  in  (a)*. 
If  this  condition  were  not  met,  then  U  could  not  possibly  rescue  a  world 
violating  (a)*.) 

b.  Bind  additional  variables.  Repeat  the  following  zero  or  more  times: 

Choose  a  datom  f  in  T  and  an  atomic  formula  g  in  (a)„  such  that  /  and 
g  unify  under  a  most  general  substitution  o'.  Append  the  substitutions 
for  variables  in  o'  to  o. 

(Intuitively,  Step  lb  instantiates  variables  of  a  so  that  the  datoms  appearing 
in  (a)*  might  possibly  be  true  in  some  model  of  T.  Intuitively,  all  variables 
unbound  after  Step  lb  will  be  instantiated  to  universe  elements  not  referenced 
by  T,  so  that  non-ground  atomic  formulas  in  (a)*  can  be  replaced  by  F.  The 
actual  process  is  a  bit  more  complicated;  for  example,  the  equality  predicate  will 
require  special  treatment.) 

c.  Decide  which  equality  atomic  formulas  will  be  true.  Repeat  the  following 
zero  or  more  times: 

If  a  variable  x  occurs  in  an  equality  atomic  formula  x=y  or  y=x  in  (a)<r, 
for  y  a  variable,  constant,  or  Skolem  constant,  then  append  to  o  the  sub¬ 
stitution  y. 

This  completes  the  construction  of  o.  The  final  four  phases  of  Step  1  are  devoted 
to  simplifying  the  formulas  in  Inst(Q:). 

d.  Remove  true  equality  formulas.  For  each  wff  /?  in  Inst(o),  replace  the 
reflexive  equality  formula  (e.g.,  x  =  x)  by  the  truth  value  T  wherever  it  is 
a  subformula  of  /?. 

e.  Discard  unwanted  0s.  For  each  wff  f3  in  Inst(a),  remove  /3  from  Inst(a)  if 

o  q  satisfies  condition  4  in  the  definition  of  strictly  enforceable  axioms 
and  /?  contains  variables.  (In  this  case,  Step  If  applied  to  /?  will  yield 
a  valid  wff,  so  0  need  not  be  included  in  Inst(a).) 

o  a  satisfies  condition  3  and  Falsifiable(/?,  T)  is  false.  (In  this  case, 
some  model  of  T  might  not  satisfy  /3  if  all  non-ground  atoms  of  /3  were 
replaced  by  F.  The  FalsifiableQ  routine  will  be  described  separately.) 


85 


f.  Eliminate  remaining  variables.  For  each  wff  0  in  Inst(o),  replace  all  non¬ 
ground  atomic  formulas  in  0  by  the  truth  value  F. 

g.  Simplify  0.  For  each  wff  0  in  Inst(a),  replace  datoms  in  0  that  do  not 
unify  with  any  datom  in  T  or  u  by  F,  if  desired;  and  replace  0  by  a 
simpler  logically  equivalent  wff,  if  desired.  (These  simplifications  will  help 
to  minimize  the  number  of  different  instantiations  and  their  total  size.) 

Step  2.  Maintain  the  closed-world  assumption.  To  maintain  the  closed- 
world  assumption,  all  datoms  in  u,  <f>,  and  Inst(a)  need  to  be  represented  in  the 
completion  axioms  of  T.  First  change  the  body  of  T  to  reflect  the  new  completion 
axioms:  for  each  atom  g  that  is  a  subformula  of  u>,  <f>,  or  Inst(a)  but  not  T,  let 
Eo  be  the  set  of  the  most  general  substitutions  a  such  that  for  some  datom  / 
that  is  a  subformula  of  T,  /  unifies  with  g  under  a.  If  Eo  is  the  empty  set,  then 
add  -><7  to  the  body  of  T;  otherwise,  add  the  wff 

9  ->  V  a  C1) 

er€£o 

to  the  body  of  T.  Then  for  every  datom  g  of  T  not  represented  in  the  completion 
axioms,  add  a  disjunct  representing  g  to  those  aLxioms. 

Step  3.  Add  Inst(a)  to  T.  Add  all  the  wffs  in  Inst(a)  to  the  body  of  T. 

Step  4.  Make  history.  (Same  as  Step  2  of  the  Update  Algorithm  Version 
I)  For  each  atom  /  that  is  a  subformula  of  T'  and  unifies  with  an  atom  of  u /, 
replace  adl  occurrences  of  /  in  the  body  of  T  by  the  history  atom  H(f,U).  In 
other  words,  replace  the  body  B  of  T  by  {B)(Tb. 

Step  5.  Define  the  scope  of  the  update.  (Sarnie  as  Step  3  of  the  Update 
Algorithm  Version  I)  Add  the  wff  to  T\ 

Step  6.  Restrict  the  scope  of  the  update.  (Satme  as  Step  4  of  the  Update 
Algorithm  Version  I)  For  each  datom  /  in  <jh,  let  E  be  the  set  of  all  most  generad 
substitutions  a  under  which  /  unifies  with  am  atom  of  u>.  Add  the  wff 

(f"H(f,U))V  ((*),„  A  V  a)  (2) 


to  T' .  (Intuitively,  formula  (2)  says  that  for  /  an  atom  that  might  possibly  have 
its  truth  valuation  changed  by  update  U,  the  truth  valuation  of  /  can  change 
only  in  a  model  where  <f>  was  true  originailly,  amd  further  that  in  any  model  so 
created,  /  must  be  unified  with  an  atom  of  u.)  0 

Example.  For  an  example  of  the  operation  of  Step  1,  let  U  be  the  update 
INSERT  -’Emp(Reid,  e)  WHERE  T,  when  the  body  of  T  contains  just  the  wffs 
Emp(Reid,  EE)  and  Emp(Reid,  CSD)V  Mgr(Nilsson,  CSD),  and  the  strict  axiom 
section  of  T  contains  just  the  single-department  axiom,  VsVyVz((Emp(x,  y)  A 
Emp(x,  z))  —►(?/  =  z)).  This  axiom  satisfies  condition  4  for  strict  enforceability. 
The  Update  Algorithm  Version  I  would  produce  an  alternative  world  in  which 


86 


Reid  is  in  CSD,  which  is  incorrect  if  a  is  to  be  enforced  strictly.  As  will  be 
shown,  Step  1  of  Version  IV  prevents  this  anomaly.  The  two  alternative  worlds 
that  should  be  produced  under  strict  enforcement  have  the  sets  of  true  datoms 
{Mgr(Nilsson,  CSD),  Emp(Reid,  EE)}  and  {Mgr(Nilsson,  CSD)},  respectively. 

Step  la  ensures  that  some  datom  in  the  instantiation  of  a  being  created 
will  unify  with  a  datom  of  u>.  If  this  were  not  the  case,  no  datom  in  that  in¬ 
stantiation  of  a  would  be  affected  at  all  by  the  update,  and  the  update  could 
not  possibly  cause  a  rescue  of  any  alternative  world  that  violated  that  particular 
instantiation  of  a.  For  Step  la  of  the  current  example,  first  let  /  be  Emp(x, 

y)  of  a,  which  unifies  with  Emp(Reid,  e)  in  u.  Then  a  is  xRtii  f ,  and  (a)*  is 
Vz((Emp(Reid,  e)  A  Emp(Reid,  z))  — ►(e=z)). 

One  option  for  (a)ff  at  this  point  is  not  to  include  any  additional  variable 
substitutions  in  a.  Intuitively,  this  corresponds  to  instantiating  those  variables 
with  universe  elements  not  named  in  C.  For  the  current  example,  however,  if  no 
further  variable  substitutions  are  done,  (a)*  will  be  eliminated  from  Inst(a)  in 
Step  le,  because  a  satisfies  condition  4  and  hence  that  instantiation  of  a  would 
be  valid.  Whenever  (a)*  is  valid,  every  possible  alternative  world  satisfies  (a)#, 
and  there  is  no  way  that  U  can  cause  a  rescue  of  an  alternative  world  violating 
(a)*,  as  there  is  no  such  world. 

Another  option  for  ( a)c ,  is  to  add  no  variable  substitutions  to  a  in  Step  lb 
and  then  to  replace  z  by  e  in  Step  lc.  But  the  resulting  wff  (a)*,  ((Emp(Reid,  e) 
A  Emp(Reid,  e))  — *(e=e),  is  also  valid,  and  hence  may  be  replaced  by  T  in  Step 
lg.  The  wff  T  is  a  particularly  uninteresting  axiom  instantiation. 

The  final  option  for  (a)^  is  for  a  variable  replacement  to  take  place  in 
Step  lb.  The  only  variable  in  (o)a  at  that  point  is  z;  the  only  atomic  formula 
containing  z  in  (a)^  is  Emp(Reid,  z);  therefore  g  of  Step  lb  must  be  Emp(Reid, 

z) .  There  are  two  possible  choices  for  /  in  T:  Emp(Reid,  EE)  or  Emp(Reid, 
CSD).  The  former  choice  gives  a  a  of  xReid  y(  EE,  and  (a)ff  of  ((Emp(Reid,  e)  A 
Emp(Reid,  EE))  — >(e=EE);  the  latter  choice  leads  to  a  o  of  Reid  y  csdi  a^d  (a)<r 
of  ((Emp(Reid,  e)  A  Emp(Reid,  CSD))  ->(e=CSD). 

As  no  variables  remain  in  either  version  of  (a)*,  Steps  lc  through  If  do 
not  change  these  two  wffs.  In  Step  lg,  no  simplifications  look  promising,  so 
the  two  wffs  can  remain  unchanged.  Therefore  Inst(a)  contains  the  two  wffs 
((Emp(Reid,  e)  A  Emp(Reid,  EE))  — ^(e=EE)  and  ((Emp(Reid,  e)  A  Emp(Reid, 
CSD))  — »(e=CSD). 

Returning  to  Step  la  for  the  next  iteration,  the  only  other  choice  for  g  in 
a  is  Emp(x,  z),  and  the  reader  can  quickly  verify  that  this  choice  of  g  generates 
the  same  two  wffs  as  did  Emp(x,  y).  Therefore  Inst(a)  remains  unchanged. 

How  will  the  two  wffs  of  Inst(a)  prevent  the  rescue  of  those  undesirable 
alternative  worlds?  At  the  end  of  Step  6  of  the  Update  Algorithm,  the  body  of 
T'  will  contain  the  following  wffs: 


1.  ff(Emp(Reid,  EE),  U) 
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— Original  body  plus  history  substitution 


2.  if(Emp(Reid,  CSD ),U)  V  Mgr(Nilsson,  CSD) 

— Original  body  plus  history  substitution 

3.  ff(Emp(Reid,  e),  U)  ^((e  =CSD)  V  (e  =EE)) 

— From  Step  2,  plus  history  substitution 

4.  ((ff(Emp(Reid,  e),  U )  A  H{ Emp(Reid,  EE),  U ))  -*(e=EE) 

— From  Inst  (a),  plus  history  substitution 

5.  ((tf(Emp(Reid,  e),  U)  A  (Emp(Reid,  CSD),  U ))  -+(e=CSD) 

— From  Inst(a),  plus  history  substitution 

6.  T— ►-•Emp(Reid,  e) 

— From  Step  5,  (<j>)<Ta 

7.  (Emp(Reid,  e)  *-*H( Emp(Reid,  e)))  V  (TAT) 

— From  Step  6,  formula  (2) 

8.  (Emp(Reid,  EE)  <-*ff(Emp(Reid,  EE)))  V  (TA  (e=EE)) 

— From  Step  6,  formula  (2) 

9.  (Emp(Reid,  CSD)  ~H( Emp(Reid,  CSD)))  V  (TA  (e=CSD)) 

— From  Step  6,  formula  (2) 


It  is  not  obvious  that  this  theory  has  the  correct  alternative  worlds,  but  a  little 
dedicated  cranking  will  grind  them  out.  We  do  so  here  to  show  that  a  has  been 
enforced,  that  is,  that  Reid  is  not  in  CSD  in  any  model  of  this  theory. 

By  the  completion  axioms,  the  only  possible  true  datoms  are  Emp(Reid, 
EE),  Emp(Reid,  CSD),  Mgr(Nilsson,  CSD),  and  Emp(Reid,  e).  The  last  of  these 
four  is  ruled  out  immediately  by  wff  #6. 

For  the  remaining  three  datoms,  first  assume  e=EE.  Then  #9  implies 
->Emp(Reid,  CSD).  #6  implies  ->Emp(Reid,  EE).  #1  implies  Hf(Emp(Reid,  e)), 
and  with  #5  this  implies  -vff(Emp(Reid,  CSD)),  so  by  #2  Mgr(Nilsson,  CSD) 
must  be  true. 

Now  assume  e^EE.  Then  #1  and  #8  imply  Emp(Reid,  EE),  which  with  a 
implies  ->Emp(Reid,  CSD).  It  remains  to  show  Mgr(Nilsson,  CSD).  If  e^CSD  then 
#9  implies  ->ff(Emp(Reid,  CSD)),  which  with  #2  implies  Mgr(Nilsson,  CSD). 
If  e=CSD,  then  #1  and  #4  imply  ->.ff(Emp(Reid,  e)).  This  last  and  #2  imply 
Mgr  (Nilsson,  CSD).  We  conclude  that  T'  has  the  correct  alternative  worlds. 
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Example.  Let  a  be  Vx  (Emp(Reid,  English)  — ►Emp(Reid,  x)),  and  let 
E  be  infinite.  This  axiom  satisfies  condition  2  for  strict  enforceability  but  not 
condition  4.  If  the  body  of  T  contains  just  Emp(Reid,  English),  then  X  has  no 
models,  by  the  completion  axioms.  If  the  incoming  update  is  INSERT  -iEmp(Reid, 
English)  WHERE  T,  the  Update  Algorithm  Version  I  would  rescue  the  alternative 
world  where  all  datoms  are  false.  To  enforce  a  strictly,  the  Update  Algorithm 
Version  IV  must  produce  a  theory  with  no  models. 

In  Step  la,  if  any  variable  substitutions  are  put  into  o  then  (a)<,  is 
Emp(Reid,  English)  — >Emp(Reid,  English),  which  is  valid  and  therefore  will  not 
be  helpful  in  preventing  rescues.  Since  Emp(Reid,  English)  of  a  already  is  a 
subformula  of  u>,  however,  a  can  remain  the  empty  substitution. 

In  Step  lb,  again  any  substitution  for  variables  will  make  (a)*  valid.  Steps 
lc  and  Id  are  inapplicable,  since  a  does  not  contain  the  equality  predicate.  Step 
le  is  also  inapplicable. 

In  Step  If,  Emp(Reid,  x)  is  replaced  by  the  truth  value  F,  so  that  ft  is 
Emp(Reid,  English)  — *F.  Note  that  this  wff  was  generated  without  considering 
the  contents  of  the  body  of  T  at  all;  rather,  it  was  generated  using  the  fact  that 
since  the  universe  was  infinite  while  the  body  of  T  was  finite  and  ground,  it 
followed  that  Emp(Reid,  x)  had  to  be  false  for  some  x  in  the  universe.  This  is 
the  key  technique  that  keeps  the  set  of  needed  instantiations  finite  for  a  when  C 
contains  an  infinite  set  of  constants. 

In  Step  lg,  ft  can  be  simplified  to  -iEmp(Reid,  English).  As  T  contains 
Emp(Reid,  English),  at  the  end  of  Step  6  T'  will  contain  both  ff(Emp(Reid,  En¬ 
glish))  and  -iif(Emp(Reid,  English)),  and  hence  will  be  unsatisfiable,  as  desired. 

We  now  describe  the  function  Falsifiable(/3,  T).  This  function  takes  as 
input  a  universal  formula  ft  and  an  extended  relational  theory  T  containing  a 
domain  completion  axiom.  The  function  forms  the  set  S  containing  all  non¬ 
ground  atomic  formulas  of  ft,  and  then  determines  whether  there  exists  a  binding 
b  for  all  the  variables  in  S  such  that  (1)  no  datom  in  (5)j  unifies  with  a  datom 
of  T  and  (2)  all  equality  atoms  in  (5)t  are  unsatisfiable. 

More  formally,  let  x\  through  xn  be  the  variables  of  ft,  and  let  c\  through 
cm  be  the  constants  in  the  domain  completion  axiom  of  T.  Then  Falsifiable(/?, 
T)  returns  the  value  ‘true’  iff  the  following  formula  is  satisfiable: 

3xi---3x„(  f\  (li^Xj)A  ((xi  =  ci)  V  •••  V(xj  =  cm)) 

l<i,j<n  l<i<n 

A  f\  -.red(cr)), 

/€$ 

P€T 

where  red(cr)  is  formed  from  a  by  replacing  all  equality  atoms  containing  Skolem 
constants  by  the  truth  value  T. 
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Falsifiable()  checks  for  satisfiability  by  generating  and  testing  bindings  for 
the  Xi  variables.  The  name  “Falsifiable”  derives  from  the  fact  that  the  function 
is  trying  to  ensure  that  the  non-ground  atomic  formulas  of  /3  are  falsifiable,  that 
is,  are  false  in  some  model  of  T. 

We  do  not  specify  the  exact  technique  used  to  compute  Falsifiable(/?, 
T);  some  heuristics  to  guide  the  generation  process  (e.g.,  a  list  of  unlikely  at¬ 
tribute  values,  such  as  “Nilsson”  as  an  unlikely  department  name  and  “CSD” 
as  an  unlikely  employee  name)  and  backtracking  should  be  entirely  satisfactory 
in  practice,  since  datoms  may  reasonably  be  expected  to  be  quite  sparse  in  the 
cross  product  of  the  domain.  The  worst-case  time  complexity  of  Falsifiable()  is 
0(cmn),  where  c  is  the  number  of  occurrences  of  constants  in  T. 

Theorem  6-1.  For  an  extended  relational  theory  T  with  strict  axioms 
and  a  ground  update  U,  the  Update  Algorithm  Version  IV  accomplishes  U.  0 

Proof  of  Theorem  6-1.  As  usual,  let  T\  be  the  theory  produced  by  Step 
1,  and  so  on.  First,  by  Lemma  4-1,  Steps  1  and  2  do  not  change  the  models 
of  T;  so  Ti,  T2,  and  T  all  have  the  same  models.  Lemma  6-1  below  shows  that 
Inst(a)  is  finite,  so  the  body  of  T$  is  finite  and  T$  is  an  extended  relational  theory. 
Lemma  6-1  also  shows  that  T2  and  have  the  same  models.  From  the  proof 
of  Theorem  4-1  it  follows  that  Version  IV  is  correct  and  complete  with  respect 
to  the  definition  of  INSERT,  except  for  two  possible  aberrations:  Given  that  a 
model  Ad 6  is  produced  by  Version  IV,  we  must  verify  that  Me  satisfies  the  strict 
axioms  of  T ;  and  also  verify  that  World(Ade)  G  Worlds(U(  Ad)),  for  M  a  model 
of  T.  The  former  of  these  follows  immediately,  as  7g  contains  the  same  type  and 
dependency  axioms  as  did  T.  It  remains  to  verify  that  Ad  6  is  descended  from  a 
model  Ad  of  T. 

From  the  proof  of  Theorem  4-1  and  the  fact  that  Me  must  satisfy  the 
strict  axioms  of  Te,  it  is  immediate  that  World( Me)  G  Worlds(U(Ad))  for  some 
model  Ad  of  T  minus  the  strict  axioms.  To  review  the  construction  of  Ad,  let 
<76  be  the  Skolem  constant  substitution  for  Me  with  respect  to  7g.  Let  Ad  be  a 
model  that  differs  from  Me  in  only  the  following  respects:  if  /  is  a  datom  of  <7//, 
then  the  truth  valuation  of  /  in  Ad  is  the  same  as  the  truth  valuation  of  H(f,  U ) 
in  Ad6. 

If  Ad  violates  a,  then  for  some  binding  b  of  universe  elements  to  all  the 
variables  of  a,  (a)t  is  false  in  Ad.  Suppose  that  we  are  able  to  show  that  whenever 
(a)i,  is  false  in  a  model,  then  some  wff  0  of  Inst(a)  is  also  false  there.  But  /3  is  a 
formula  of  7-$,  and  Ad  is  a  model  of  73,  by  the  proof  of  Theorem  4-1;  therefore  Ad 
must  be  a  model  of  (a)&  and  of  o.  The  remainder  of  this  proof  is  a  construction 
of  a  wff  0  such  that  0  €  Inst(a)  and  0  is  false  in  Ad  if  (a)i  is  false  in  Ad. 

The  wff  ((a)*,)*  must  contain  at  least  one  datom  that  is  a  subformula  of 
(u})trg,  because  otherwise  (o)i,  and  a  would  be  false  in  Me-  (This  implies  that 
q  does  not  satisfy  condition  1  for  strict  enforceability.)  We  will  use  this  datom 
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as  the  starting  point  for  the  construction  of  0.  Choose  an  atomic  formula  g  of  a 
such  that  (( g)<re)b  is  a  datom  of  («)„,.  Let  /  be  a  datom  of  u  such  that  (/)<** 
is  the  same  datom  as  ((g)<re)t-  Then  there  exists  a  most  general  substitution  a' 
under  which  /  and  g  unify.  Let  a  contain  just  the  substitutions  for  variables  in 
c'\  then  (a)ff  is  false  in  M,  (((<*)* )<re)j  is  (a)b,  and  (a)*  was  produced  by  the 
Update  Algorithm  Step  la. 

Repeat  the  following  as  many  times  as  possible: 

Choose  a  non-ground  atomic  formula  g  of  (a)*  such  that  (g)b  unifies  with 
a  datom  /  of  T.  Let  a'  be  a  most  general  substitution  under  which  /  and 
g  unify,  and  append  the  substitutions  for  variables  in  <r'  to  a.  Then  (a)* 
is  false  in  M,  (((<*)* )<re)&  is  identical  to  ((a)<,e)fc,  and  (<*)<,  was  produced 
by  the  Update  Algorithm  Step  lb. 

Now  let  x  —  y  be  a  non-ground  equality  atomic  subformula  of  (a)*,  for  x 
and  y  distinct  and,  say,  x  a  variable.  If  ( x  =  y)b  is  true  in  M,  then  append  to 
a  the  substitution  *.  Repeat  for  all  such  subformulas  of  (o)»,  and  then  (o)ff  is 
still  false  in  M,  (((a)tr)ert)b  is  identical  to  ((a)ffe)b,  and  (a)„  was  produced  by 
the  Update  Algorithm  Step  lc. 

Let  0  be  the  wff  (a)ff.  Replace  all  occurrences  of  the  reflexive  equality 
formula  in  0  (e.g.,  x  =  x)  by  the  truth  value  T.  Then  (0)b  is  false  in  M.,  and  0 
was  produced  by  the  Update  Algorithm  Step  Id. 

If  0  is  not  ground,  then  possibly  0  will  be  removed  from  Inst(o)  in  Step 
le  of  the  Update  Algorithm.  This  will  occur  if  a  satisfies  condition  4  for  strict 
enforceability.  But  if  a  satisfies  this  condition,  then  by  the  construction  of  0, 
( a)b  must  be  a  valid  wff,  and  hence  M  must  satisfy  (ot)b,  a  contradiction. 

0  will  also  be  removed  from  Inst(o)  in  Step  le  if  a  satisfies  condition  3 
for  enforceability  and  Falsifiable(/3,  T)  is  false.  But  in  this  case,  there  must  be  a 
non-ground  atomic  formula  g  of  0  such  that  (g)b  unifies  with  a  datom  of  T.  But 
by  the  construction  of  0,  there  cannot  be  any  such  atomic  formula  remaining  in 
0  at  this  point. 

In  Step  If,  any  remaining  non-ground  equality  atomic  formulas  of  0  are 
replaced  by  F  in  0.  But  by  the  construction  of  0 ,  any  such  atomic  formula  is 
false  in  M  under  binding  b,  and  hence  the  new  version  of  (0)t  is  still  false  in  M. 

In  Step  If,  all  remaining  non-ground  atomic  formulas  of  0  over  data  pred¬ 
icates  are  also  replaced  by  F  in  0.  But  by  the  construction  of  /?,  again  any  such 
atomic  formula  is  false  in  M  under  binding  b ,  and  hence  the  new  version  of  0  is 
false  in  M. 

After  Step  If,  0  is  &  ground  wff  that  is  false  in  M.  By  the  completion 
axioms,  one  may  replace  by  F  any  datom  of  0  that  does  not  unify  with  a  datom 
of  T,  and  0  will  still  be  false  in  M.  Then  by  Step  lg,  0  or  &  wff  logically 
equivalent  to  0  is  in  Inst(a).  This  concludes  the  proof  of  correctness  for  the 
Update  Algorithm  Version  IV.  0 

Lemma  6-1  shows  that  Step  3  does  not  change  the  models  of  T. 
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Lemma  6-1.  For  an  extended  relational  theory  T  and  an  update  U,  let 
0  be  a  wff  in  Inst(a),  produced  by  Step  1  of  the  Update  Algorithm  Version  IV. 
Then  adding  0  to  the  body  of  T  does  not  change  the  models  of  T.  Further, 
Inst(a)  contains  a  finite  number  of  wffs.  0 

Proof  of  Lemma  6-1.  If  the  strict  axiom  a  satisfies  condition  1  for 
strict  enforceability,  then  Inst(a)  is  the  empty  set,  and  the  theorem  is  satisfied. 
Otherwise,  to  show  that  Inst(a)  is  finite,  recall  that  the  body  of  T  is  finite  and 
so  is  u>.  Therefore  there  can  be  only  a  finite  number  of  different  unifications  of 
atomic  formulas  of  a  with  datoms  of  T  and  w,  and  Inst(a)  must  be  finite.  The 
remainder  of  the  proof  shows  that  all  models  of  T  satisfy  Inst(o). 

Since  all  models  of  T  satisfy  a,  all  models  also  satisfy  (a)„,  for  any  sub¬ 
stitution  a  constructed  in  Step  1.  Let  0  be  the  wff  (a)*,  and  assume  that  0  is 
not  discarded  in  Step  le.  Then  if  a  satisfies  condition  4  for  strict  enforceability, 
0  is  a  ground  formula  at  this  point. 

If  the  strict  axiom  a  satisfies  condition  2  but  not  condition  4,  then  0  may 
still  contain  variables  after  Step  le,  and  every  non-ground  atomic  formula  of  0 
will  be  replaced  by  F  in  Step  If,  creating  0'.  To  show  that  every  model  M  of  T 
satisfies  0',  let  ci  through  c„  be  constants  of  £  such  that  no  datom  with  c,  as 
an  argument  is  true  in  M.  There  must  be  such  constants,  because  £  contains 
an  infinite  number  of  constants.  Then  substitute  c,-  for  Xj,  for  every  variable 
Xi  remaining  in  0,  creating  the  wff  (0)c-  Then  M.  satisfies  (0)c,  and  for  every 
non-ground  atomic  formula  g  of  0,  (g)c  is  false  in  M.  Therefore  0'  is  also  true 
in  M. 

If  the  strict  axiom  a  satisfies  condition  3  but  not  condition  4,  then  0  may 
still  contain  variables  after  Step  le,  and  every  non-ground  atomic  formula  of  0 
will  be  replaced  by  F  in  Step  If,  creating  0'.  In  this  case  Falsifiable(/?,  T)  must 
be  true,  meaning  that  there  exists  a  constant  substitution  6  for  the  remaining 
variables  of  0  such  that  for  every  non-ground  atomic  formula  g  of  0,  (g)b  is  false 
in  M.  Therefore  0'  is  true  in  every  model  of  T. 

As  for  Step  lg,  by  the  completion  axioms  any  datom  of  0  that  does  not 
unify  with  any  datom  in  T  must  be  false  in  all  models  of  T.  Therefore  if  we 
replace  such  a  datom  or  datoms  in  0  by  F,  the  resulting  wff  will  also  be  true  in 
all  models  of  T,  and  adding  it  to  T  will  not  change  the  models  of  T. 

Finally,  any  wff  logically  equivalent  to  0  will  also  be  true  in  all  models  of 
T,  and  hence  adding  such  a  wff  to  T  will  not  change  the  models  of  T.  0 

6.4.  Computational  Complexity  Revisited 

Step  3  of  the  Update  Algorithm  Version  IV  does  increase  the  size  of  T.  The 
amount  of  the  increase  depends  on  the  type  of  axiom  being  strictly  enforced  and 
on  the  wffs  currently  in  the  body  of  T.  Since  the  dependency  axioms  for  the 
database  will  be  known  ahead  of  time  and  will  change  only  rarely  if  at  all,  the 
axioms  can  be  preanalyzed  and  specialized  enforcement  routines  prepared.  We 
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begin  by  showing  the  computational  complexity  for  functional  and  multi-valued 
dependencies.  Let  k  be  the  number  of  different  datoms  in  w,  and  let  R  be  the 
maximum  number  of  datoms  in  T  over  the  same  data  predicate. 

If  the  dependency  axiom  is  a  functional  dependency,  then  the  size  of 
Inst  (a)  is  O(kR)  worst  case  (when  a  datom  that  seems  to  conflict  with  every 
other  atom  over  the  same  predicate  is  “deleted”)  and  size  zero  best  case  (when  no 
potential  conflicts  occur).  The  time  to  construct  Inst(a)  is  0(kR\og(R))  worst 
case,  assuming  that  every  atom  over  every  predicate  occurring  in  u>  is  located 
through  an  index  in  time  <9(log(i2));  and  0(k  log(iZ))  best  case. 

These  worst-case  estimates  are  high  indeed;  when  extended  to  updates 
containing  variables,  the  potential  cost  becomes  most  alarming.  But  just  how 
many  conflicts  are  likely  to  occur  in  practice?  More  revealing  than  worst-case 
scenarios  is  the  average  size  of  Inst(a).  In  an  actual  database  application,  there 
are  a  number  of  mitigating  factors  that  lead  one  to  expect  that  Inst(or)  will  be 
quite  small  on  average.  We  now  examine  these  factors  individually. 

First,  practical  updates  and  queries  do  contain  variables.  Typically,  a 
query  references  many  tuples  in  order  to  provide  summary  information  to  a  user. 
In  updates,  however,  we  argue  that  variables  play  a  different  role.  The  typical 
update  in  a  real  database  does  not  modify  multiple  tuples.  It  selects  one  tuple, 
and  changes  just  that  one  tuple.  Variables  in  such  an  update  play  the  role  of 
placeholders  for  “don’t-care”  values  while  a  selection  is  being  done  on  a  key,  and 
do  not  lead  to  large  numbers  of  database  modifications  per  update  request.  This 
profile  should  to  carry  over  to  extended  relational  theories. 

Second,  a  new  datom  in  u>  may  conflict  with  every  preexisting  datom  over 
its  predicate,  but  just  how  likely  is  that  situation?  How  often  are  there  going 
to  be  many  datoms  that  unify  on  the  “ruling  part”  of  their  attributes?  In  any 
useful  collection  of  data,  those  unifications  should  be  few,  as  datoms  will  be 
sparse  within  the  cross  product  of  their  domains.  For  example,  when  inserting 
the  Emp(Reid,  CSD)  datom,  one  would  not  expect  there  to  be  large  numbers 
of  unidentified  employees,  nor  for  Reid  to  be  rumored  to  be  a  member  of  many 
different  departments. 

Third,  functional  dependencies  are  typically  used  to  identify  keys.  One 
very  reasonable  restriction  for  a  practical  database  management  system  is  to 
forbid  null  values  to  occur  in  keys.  This  action  would  drastically  reduce  the 
number  of  potential  conflicts. 

In  sum,  axiom  instantiation  should  not  be  dismissed  as  a  technique  for 
strict  axiom  enforcement  on  the  basis  of  its  worst-case  behavior.  There  are 
good  reasons  for  expecting  satisfactory  performance  of  this  technique  in  real-life 
situations. 

Returning  to  the  investigation  of  the  computational  complexity  of  partic¬ 
ular  classes  of  strict  axioms,  if  the  dependency  axiom  is  a  predicate-inclusion 
dependency  (e.g.,  VxVy  (Mgr(x,  y)  — »  Emp(i,  y))),  then  the  time  complexity  is 
again  is  0(kf?log(.R))  worst  case  (when  “deleting”  a  datom  that  seemed  to  in¬ 
validate  every  atom  over  some  other  predicate)  and  0(k\og(R))  best  case  (when 
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no  potential  conflicts  occur).  Size  complexity  is  the  same  as  for  functional  de¬ 
pendencies.  The  same  cost  functions  hold  for  a  multivalued  dependency  as  well. 

The  space  and  time  bounds  given  above  for  enforcing  a  are  precise  because 
a  has  been  pinned  down  to  a  particular  class  of  axioms,  such  as  functional  depen¬ 
dencies.  It  is  not  possible  to  give  a  meaningful  space  bound  for  Inst(a)  without 
such  information  on  the  format  of  a,  the  occurrences  of  equality  predicates  in  a, 
and  the  patterns  of  occurrences  of  variables  within  the  atomic  formulas  of  a.  For 
a  size  bound  computed  without  this  information,  one  must  assume  that  every 
atomic  formula  in  a  unifies  with  everything  in  T  at  each  stage  of  the  reduction,  a 
ridiculous  assumption  that  leads  to  very  high  estimated  bounds.  For  this  reason 
we  choose  not  to  include  a  general  worst-case  size  bound  for  Inst(or). 

As  usual  in  these  algorithms,  time  complexity  to  construct  Inst(o)  differs 
from  the  size  of  Inst(a)  by  a  0(log(R))  factor,  representing  the  time  needed  to 
look  up  the  atoms  in  indices.  There  is  an  additional  multiplicative  factor  for 
strict  axioms  that  satisfy  only  condition  3  for  enforceability:  the  time  complexity 
of  Falsifiable().  As  discussed  earlier,  the  worst-case  behavior  of  Falsifiable()  is 
linear  in  the  size  of  T  and  polynomial  in  the  size  of  the  underlying  domain. 
However,  it  seems  reasonable  to  assume  that  in  practice  a  call  to  FalsifiableQ  can 
be  completed  in  constant  time. 

6.5.  Strict  Enforceability  Revisited 

The  previous  section  explained  why  certain  potential  strict  axioms  a  were  not 
considered  strictly  enforceable.  In  particular,  it  may  be  difficult  to  determine 
which  wffs  are  in  Inst(a)  for  a  particular  model  Ad,  and  in  addition,  different 
models  may  have  different  sets  of  formulas  in  Inst(a).  Actually,  any  sentence  a 
can  be  strictly  enforced;  it  just  may  be  an  unpleasant  proposition  to  do  so. 

If  a  does  not  meet  conditions  1-4  for  strict  enforceability,  then  £  has  a 
finite  set  of  constants.  T,  however,  may  have  models  with  universes  of  different 
sizes,  both  finite  and  infinite.  To  enforce  a  strictly  will  require  a  pastiche  of  the 
techniques  for  finite  universes  (condition  3)  and  infinite  universes  (condition  2). 
Suppose  that  £  contains  n  constants,  ci  through  cn.  Then  in  the  final  set  Inst(o;) 
that  is  added  to  the  body  of  T : 

•  Include  all  the  wffs  0  that  would  be  included  in  Inst(a)  if  T  contained  a 
domain  closure  axiom  for  c\  through  cn.  Such  /3s  are  true  in  all  models  of 
T. 

•  Find  every  additional  wff  0  that  would  be  included  in  Inst(a)  if  £ 
contained  one  additional  constant  cn+i  and  T  contained  a  domain  clo¬ 
sure  axiom  for  c\  through  cn+i.  Then  include  in  Inst(a)  the  formula 
((«i  #  ci)  A  •  •  •  A  (ci  ^  c„))  -►  0. 

•  Find  every  additional  wff  0  that  would  be  included  in  Inst(a)  if  £  con¬ 
tained  k  additional  constants,  c„+i  through  c„+*,  and  T  contained  a  do¬ 
main  closure  axiom  for  c\  through  cn+t.  Then  include  in  Inst  (a)  the 
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formula  ((ej  ^ci)A---A(e1  ^  cn)  A  •  •  •  A(e*  ^  cj)  A  •  •  •  A  (ek  #c„)A(e*  ^ 

€1)  A  •••  A(e*  ^  e*-i))  -»  /?• 

•  Stop  adding  formulas  to  Inst(a)  when: 

o  If  T  does  not  contain  a  domain  completion  axiom,  then  when  every  3 
has  been  generated  that  would  be  included  in  Inst(a)  if  C  contained 
an  infinite  number  of  constants; 

o  If  X  contains  a  domain  completion  axiom  containing  j  Skolem  con¬ 
stants,  then  stop  after  the  iteration  where  k  =  j. 

Intuitively,  those  additional  elements  in  the  universe  are  needed  in  order 
to  be  able  to  guarantee  the  ability  to  falsify  a  subset  of  the  datoms  of  3.  Note 
the  combinatorial  explosion  in  the  length  of  members  of  Inst(a)  as  k  grows  large. 

Consider  an  example  where  a  is  Vi  (i?(a)  — ►  .R(x)).  If  U  is  IHSERT  ~'R(a) 
WHERE  T,  C  contains  the  single  constant  a,  and  the  body  of  X  contains  just  R(a), 
then  in  every  model  of  X,  a  must  be  the  only  element  in  the  universe.  After  U 
is  executed,  a  should  still  be  the  only  element  in  the  universe;  yet  the  Update 
Algorithm  Version  I  would  rescue  all  the  alternative  worlds  with  more  than  one 
element.  If  X  contained  the  domain  completion  axiom  Vx(x  —  a),  then  Step 
1  of  Version  IV  would  produce  the  set  of  formulas  Inst(a)  =  {R(a)—>R(a)}.  If 
X  contained  one  additional  constant,  then  Version  IV  would  produce  Inst(a)  = 
{U(a)— >F}.  Adding  a  filter  to  the  latter  set  and  merging  the  two  sets  produces 
Inst(o)  ={(e^a)  — ►  -ii?(a)}.  Note  that  adding  —'R(a)  to  X  would  make  X  incon¬ 
sistent;  but  adding  (e  j^a)  — ►  ->R(a)does  not  change  the  models  of  X  at  all,  and 
in  fact  does  strictly  enforce  a  and  prevent  models  with  universes  containing  more 
than  just  a  from  being  rescued  by  U.  Lest  this  example  look  too  attractive,  note 
that  it  was  made  tractable  by  restricting  the  language  C  to  just  one  constant;  a 
large  set  of  constants  would  cause  explosive  growth  in  the  number  of  formulas 
needed  to  enforce  a. 

To  merge  this  technique  into  Version  IV,  process  U  as  though  a  had  a 
domain  completion  axiom  containing  all  the  constants  of  C.  At  the  time  of 
the  call  to  Falsifiable(/?,  X)  in  Step  le,  do  not  discard  3  if  the  call  fails.  In¬ 
stead,  repeatedly  add  single  constants  to  the  domain  completion  axiom  until 
Falsifiable(/3,  X)  succeeds,  say  on  the  kth.  call.  Then  replace  3  iQ  Inst(a)  by 
((ei#ci)A- •  •  A  (cfc-i  ^  e*))  — ►  3i  where  through  e*  do  not  appear  in  X. 

6.6.  Summary  and  Conclusion 

Type  and  dependency  axioms  can  play  many  different  roles  in  an  extended  rela¬ 
tional  theory.  This  chapter  shows  how  to  conduct  two  of  those  roles,  passive  and 
strict  enforcement,  and  concentrates  on  the  machinery  necessary  to  enforce  uni¬ 
versally  quantified  axioms  strictly,  i.e.,  to  eliminate  permanently  all  alternative 
worlds  that  fail  to  satisfy  that  axiom.  If  universally  quantified  variables  are  per¬ 
mitted  to  occur  in  the  body  of  X,  then  this  is  trivial  to  accomplish.  If  the  body 
of  X  is  restricted  to  ground  wffs,  then  the  technique  used  is  to  try  to  instantiate 
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the  axiom  with  constants  and  Skolem  constants  from  T,  and  to  add  those  in¬ 
stantiations  to  the  body  of  T .  Through  logical  manipulations,  the  required  set  of 
instantiations  can  always  be  made  finite.  However,  it  may  be  difficult  to  make  the 
set  small;  some  combinations  of  axioms  a  and  languages  C  are  just  too  expensive 
for  strict  enforcement  when  variables  are  not  allowed  in  the  body  of  T.  However, 
a  will  always  be  strictly  enforceable  if  C  contains  an  infinite  set  of  constants,  if 
the  uni verse  is  known  to  be  finite,  or  if,  roughly  speaking,  for  any  variable  a:  in  a, 
replacing  all  atomic  formulas  of  a  containing  x  by  the  truth  value  F  yields  a  valid 
formula.  For  example,  all  functional  and  multi-valued  dependencies  axe  strictly 
enforceable,  and  the  cost  of  enforcing  them  during  an  update  is  quite  reasonable. 
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Chapter  7:  Other  Semantics 


Chapter  3  presented  a  semantics  for  updates  (hereafter  called  the  “stan¬ 
dard  semantics”)  along  with  a  set  of  desiderata  providing  a  rationale  for  the 
selection  of  the  standard  semantics.  However,  the  standard  semantics  is  not  the 
only  possible  choice:  there  is  a  spectrum  of  reasonable  candidates  for  update 
semantics,  and  the  standard  semantics  is  just  one  possible  choice.  The  purpose 
of  this  chapter  is  to  define  this  spectrum  of  semantics,  give  a  closer  examina¬ 
tion  to  a  few  of  the  points  along  the  spectrum,  and  explain  why  some  candidate 
semantics  are  more  reasonable  than  others.  In  the  process,  the  motivations  be¬ 
hind  the  choice  of  the  standard  semantics  will  become  clear.  In  addition,  this 
chapter  shows  how  to  adapt  the  Update  Algorithm  to  work  with  other  choices  of 
semantics;  the  basic  technique  is  to  change  the  formula  of  Step  4.  To  simplify  the 
presentation,  we  will  restrict  attention  to  extended  relational  theories  without 
strict  axioms.  We  begin  by  providing  a  framework  for  evaluation  of  competing 
semantics. 

7.1.  Criteria  for  Choice  of  Semantics 

In  this  discussion,  we  assume  that  two  of  the  three  main  desiderata  for  semantics 
that  were  presented  in  Section  3.3  are  still  applicable.  In  particular: 

•  The  alternative  worlds  of  the  updated  extended  relational  theory  must 
be  the  same  as  those  obtained  by  applying  the  update  separately  to  each 
original  alternative  world. 

•  An  update  cannot  directly  change  the  truth  valuations  of  any  datoms 
except  those  that  unify  with  datoms  of  u>. 

With  regard  to  the  latter  point,  it  is  acceptable  for  an  update  indirectly 
to  cause  changes  in  the  truth  valuations  of  other  datoms.  For  example,  if  type 
axioms  (Chapter  6)  are  being  enforced  through  axiom  modification,  then  the  up¬ 
date  INSERT  Emp(Reid,  CSD)  WHERE  T  might  cause  the  datoms  Employee(Reid) 
and  Department(CSD)  to  become  true.  Any  such  side  effects,  however,  must 
be  due  to  axiom  enforcement  policies  and  not  to  the  intrinsic  semantics  of  the 
update. 

Within  the  set  of  semantics  that  meet  these  two  requirements,  we  suggest 
four  criteria  for  evaluation  of  candidate  semantics: 

•  The  semantics  of  the  intended  application. 

•  Computational  tractability. 
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•  Comprehensibility. 

•  Expressive  power. 

The  following  sections  examine  each  of  these  criteria  in  turn,  with  special  refer¬ 
ence  to  the  properties  of  the  standard  semantics. 

The  semantics  of  the  intended  application.  Some  applications  inherently 
require  a  particular  choice  of  semantics.  Updates  contain  new  information  des¬ 
tined  for  a  database  or  knowledge  base;  the  source  and  intended  use  of  that 
information  may  impart  a  particular  interpretation  to  the  new  facts.  For  exam¬ 
ple,  in  a  diagnosis  application,  one  wishes  to  make  as  few  changes  as  possible  in 
a  description  of  the  correct  functioning  of  a  device  in  order  to  make  the  descrip¬ 
tion  conform  to  the  actual  observed  behavior  of  the  device.  When  the  observed 
behavior  is  provided  as  incoming  information  in  an  update,  the  updated  theory 
should  not  include  every  possible  combination  of  conditions  that  would  lead  to 
the  observed  behavior,  but  rather  only  the  minimal  sets  of  combinations  of  such 
conditions.  For  example,  if  a  patient  is  hot  and  flushed,  the  diagnostician  should 
suggest  an  infection  as  the  cause  of  the  problem,  and  not  include  the  combination 
of  an  infection  and  a  broken  leg,  or  an  infection  and  a  broken  leg  and  a  headache. 
It  turns  out  that  the  standard  semantics  is  not  appropriate  for  diagnosis. 

Computational  tractability.  A  computationally  tractable  semantics  is  one 
for  which  an  algorithm  with  a  reasonable  running  time  implements  the  semantics. 
For  example,  the  standard  semantics  is  computationally  tractable,  as  was  shown 
in  the  discussions  of  the  computational  complexity  of  the  Update  Algorithm. 

Comprehensibility.  The  user  must  be  able  to  look  at  an  update  and  un¬ 
derstand  what  it  will  do:  the  update  must  be  comprehensible.  Our  suggested 
tool  for  measuring  comprehensibility  versus  trickiness  is  update  equivalence:  Do 
two  updates  that  look  similar  produce  the  same  effect  on  an  extended  relational 
theory?  If  two  updates  look  different,  do  they  produce  different  effects?  Chapter 
8  is  devoted  to  a  discussion  of  update  equivalence.  As  will  be  shown  there,  syntax 
plays  a  moderate  role  in  the  criteria  for  update  equivalence  under  the  standard 
semantics. 

Expressive  power.  The  semantics  must  have  adequate  expressive  power. 
One  must  be  able  to  express  every  type  of  update,  every  transition  between  sets 
of  alternative  worlds,  that  is  needed  for  the  application.  For  example,  Theorem 
7-1  below  shows  that  the  standard  semantics  can  be  used  to  move  from  the  set 
of  alternative  worlds  of  any  extended  relational  theory  to  the  set  of  worlds  of  any 
other  extended  relational  theory,  with  one  restriction;  and  hence  the  standard 
semantics  has  satisfactory  expressive  power. 

The  restriction  on  movement  between  sets  of  alternative  worlds  under  the 
standard  semantics  lies  in  Skolem  constant  mapping  requirements;  for  example, 
one  cannot  move  from  the  extended  relational  theory  with  body  e=Reid  to  the 
theory  with  empty  body.  In  general,  any  desired  change  can  be  made  in  the 
models  of  an  extended  relational  theory,  except  that  restrictions  on  the  ranges 
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of  particular  Skolem  constants  can  never  be  revoked  once  those  restrictions  have 
entered  the  theory.  This  is  not  an  important  limitation,  since  we  can  always  just 
rename  the  Skolem  constants  in  the  alternative  worlds  we  would  like  to  move  to, 
and  abandon  the  old  Skolem  constants.  The  following  definition  shows  how  to 
ignore  selected  Skolem  constants  in  models. 

Definition.  Let  V  be  a  subset  of  the  language  C,  formed  by  removing  a 
finite  set  of  Skolem  constants  from  C.  If  A  =  World(Ad)  for  some  model  M  over 
£,  then  A  restricted  to  V  (written  A\D)  is  formed  from  A  by  removing  from  A 
the  Skolem  constant  maps  for  every  Skolem  constant  not  in  Z>.  0 

Theorem  7-1.  Let  7j  and  7^  be  extended  relational  theories  over  the 
same  language,  containing  disjoint  sets  of  Skolem  constants,*  such  that  T\  is 
consistent.  Then  under  the  standard  semantics,  there  exists  an  update  U  such 
that  Worlds(t/(Ti))|X>  =  Worlds^)  |D,  where  T>  is  £  minus  the  Skolem  constants 
appearing  in  T\ .  0 

(The  proof  of  Theorem  7-1  is  given  just  before  the  proof  of  Theorem  7-5, 
a  similar  theorem.) 

Further,  the  application’s  commonly  used  transitions  between  sets  of  alter¬ 
native  worlds  should  not  be  overly  difficult  to  express;  for  example,  the  standard 
semantics  is  not  well  suited  for  diagnostic  applications  for  this  reason  as  well. 

7.2.  Minimal-Change  Semantics 

An  obvious  alternative  to  the  standard  semantics  is  a  semantics  for  updates  where 
the  third  main  desiderata  that  determined  the  standard  semantics,  namely: 

The  information  in  u  is  to  represent  the  most  exact  and  most  recent  state 
of  knowledge  obtainable  about  those  datoms;  and  that  information  is  to 
override  all  previous  information  about  those  datoms, 

is  replaced  by  the  following: 

An  alternative  world  of  T  where  <f>  is  true  should  be  changed  as  little  as 
possible  to  make  u)  true. 

The  meaning  of  “as  little  as  possible”  is  subject  to  interpretation,  as  has  been 
debated  in  other  contexts  [Todd  77,  Bancilhon  81,  Davidson  81,  84,  Dayal  82, 
DeKleer  85,  Fagin  83,  86,  Ginsberg  85,  Keller  82,  85,  Lewis  73,  Reiter  85,  Weber 
85]  and  will  be  discussed  in  Section  7.3.  For  the  purposes  of  this  section,  “as 
little  as  possible”  means  that  if  one  set  of  changes  to  an  alternative  world  A  is 
a  proper  subset  of  another  set  of  changes,  and  both  sets  of  changes  will  make  u> 
true  in  the  updated  version  of  A ,  then  the  larger  set  of  changes  should  not  be 
performed.  More  formally,  let  Ad  be  a  model  of  an  extended  relational  theory 

t  This  restriction  is  needed  to  avoid  naming  conflicts;  if  it  is  violated,  rename  the  Skolem 
constants  of  one  of  the  theories  before  testing. 
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T.  Then  under  the  minimal-change  semantics,  inserting  a  wff  u  into  M  should 
produce  the  alternative  worlds  of  every  model  M'  with  the  same  universe  and 
constant  and  Skolem  constant  mappings  as  M,  such  that 

(1)  if  M!  differs  from  M.  in  the  truth  valuations  of  a  set  D  of  null-free  datoms, 

then  no  other  model  M. *  with  the  same  universe  and  mappings  as  M.'  and 

where  u  is  true  differs  from  M.  in  only  a  proper  subset  of  D\  and 

(2)  u  is  true  in  M! . 

A  simplified  version  of  this  semantics  is  used  by  DeKleer  [85]  and  Reiter 
[85];  they  do  not  consider  selection  clauses  (<j>)  or  Skolem  constants. 

It  follows  from  the  minimal-change  definition  that  two  null-free  updates 
INSERT  u}\  WHERE  <j>  and  INSERT  u>2  WHERE  <f>  are  equivalent  under  the  minimal- 
change  semantics  if  ui  and  u>2  are  logically  equivalent.  Exact  conditions  for 
equivalence,  however,  are  surprisingly  complex  (see  Theorem  8-12),  though  the 
minimal-change  semantics  score  is  still  satisfactory  on  this  measure  of  compre¬ 
hensibility.  The  effect  of  a  minimal-change  update  is  very  strongly  tied  to  the 
current  models  of  the  extended  relational  theory.  A  example  will  perhaps  be 
revealing:  what  is  the  effect  of  inserting  (aA~>b)  V  (cAd),  where  a,  6,  c,  and  d 
are  datoms?  The  quick  response:  the  alternative  worlds  will  be  changed  as  little 
as  possible  to  get  (aA-t&)  V  (cA d)  to  be  true.  But  exactly  what  will  be  true 
afterwards?  That  depends  on  what  the  models  are  now;  for  any  particular  model 
it  will  take  a  bit  of  careful  thought  to  determine  what  the  update  produces. 

The  minimal— change  semantics  suffers  from  lack  of  expressive  power,  as 
does  any  semantics  where  logically  equivalent  us  lead  to  equivalent  updates.  For 
example,  if  the  user  wants  to  say  that  there  is  no  longer  any  information  about 
the  truth  or  falsity  of  a  particular  datom  g,  this  can  be  done  by  inserting  gV->g 
under  the  standard  semantics.  Under  a  semantics  based  on  logical  equivalence, 
however,  such  an  insertion  would  be  equivalent  to  inserting  the  truth  value  T,  and 
would  therefore  have  no  effect  on  the  alternative  worlds  of  the  extended  relational 
theory.  In  general,  if  an  update  is  needed  to  express  a  loss  of  knowledge — i.e., 
one  formerly  believed  that  some  proposition  was  true  but  now  one  is  unsure — the 
minimal— change  semantics  does  not  offer  a  mechanism  to  accomplish  the  change, 
since  every  model  of  the  old  extended  relational  theory  already  satisfies  u. 

Theorem  7-2.  Let  7\  and  7^  be  consistent  extended  relational  theo¬ 
ries  such  that  Models(7i )  is  a  proper  subset  of  Models^),  and  Worlds(7i)  ^ 
Worlds^).  Then  for  no  update  U  does  Worlds([/(Ti))  =  Worlds^).  0 

Proof  of  Theorem  7-2.  Suppose  that  U  is  such  an  update,  and  let  M 
be  a  model  of  T\  and  therefore  also  of  Tz.  Suppose  that  U  changes  M,  that  is, 
that  U(M)  ^  {Af  }.  Then  u  is  false  in  Af.  By  the  definition  of  the  minimal- 
change  semantics,  it  follows  that  World(Af)  £  Worlds(U(Af)).  Since  World  (At) 
6  Worlds(72),  it  follows  that  for  some  other  model  M!  of  T\ ,  World(Af)  € 
Worlds(Z7(Af>)).  But  then  u  is  true  in  M,  a  contradiction.  We  conclude  that  U 
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does  not  change  M.  But  M  is  an  arbitrary  model  of  7J;  therefore  Worlds(U(7i)) 
=  Worlds (7i),  so  Worlds(Z7(Ti))  Worlds(T2).  0 

If  instead  of  a  single  update  U ,  we  allow  a  series  of  updates  Ui  through 
Un,  Theorem  7-2  still  holds  if  £  contains  a  finite  set  of  constants. *  An  example 
follows. 

Example.  Let  £  contain  the  single  constant  a  and  the  single  predicate  R, 
and  let  the  body  of  T\  be  the  formula  R(a).  Then  there  is  no  way  to  move  from 
7i  to  the  alternative  worlds  of  the  theory  with  body  R(a)V~>R(a)  under  a  series 
of  updates.  0 

If  £  contains  an  infinite  set  of  constants,  it  is  possible  to  remove  all  knowl¬ 
edge  about  the  truth  valuation  of  a  datom  under  the  minimal-change  semantics 
by  eliminating  the  requirement  that  the  transition  be  accomplished  in  a  single 
update.  This  is  because  additional  updates  and  constants  can  be  used  to  do 
encoding,  much  as  history  atoms  were  used  with  lazy  evaluation  and  update 
splitting  in  Chapter  5  to  encode  information  for  future  updates.  One  cannot 
encode  using  just  the  equality  predicate  and  Skolem  constants,  as  such  encoding 
makes  permanent  changes  in  alternative  worlds;  hence  the  need  for  an  infinite  set 
of  constants.  An  example  follows. 

Example.  Under  the  minimal-change  semantics,  one  can  remove  all  knowl¬ 
edge  about  the  truth  valuation  of  a  datom  a  by  the  following  series  of  four  up¬ 
dates: 

Ui:  INSERT  fVg  WHERE  T, 

U2:  INSERT  -.a  WHERE  g, 

U3:  INSERT  a  WHERE  /, 

U4:  INSERT 

where  /  and  g  are  datoms  not  unifying  with  a,  with  each  other,  or  with  any 
datom  of  T.  0 

The  use  of  ordinary  datoms  such  as  /  and  g  for  encoding,  however,  has  a 
number  of  disadvantages.  For  correctness  all  the  steps  of  the  procedure,  including 
the  awkward  and  potentially  expensive  location  of  “unused”  datoms  for  coding, 
must  be  bundled  into  a  single  transaction,  which  is  not  always  convenient.  More 
importantly,  encoding  runs  counter  to  the  spirit  of  our  endeavor,  as  it  is  beyond 
the  capabilities  of  average  users,  be  they  humans  or  programs.  Finally,  encoding 

t  This  conflicts  with  the  requirement  of  Section  3.1.1  that  £  contain  an  infinite  number 
of  constants.  This  requirement  is  present  to  insure  that  one  will  always  be  able  to  find  a  history 
atom  H(f,  U)  that  does  not  unify  with  any  history  atom  in  the  body  of  T.  If  £  contains  only 
a  finite  set  of  constants,  as  is  reasonable  for  many  applications,  then  the  whole  system  must 
come  to  a  pause  if  the  Update  Algorithm  runs  out  of  “new”  history  atoms. 
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runs  afoul  of  another  requirement  of  the  expressiveness  criteria,  namely,  that 
common  update  requests  be  standard  to  express. 

We  conclude  that  under  the  minimal-change  semantics,  a  separate  op¬ 
erator  is  needed  to  accomplish  updates  reporting  a  loss  of  knowledge;  such  an 
operator  could  have  the  standard  semantics  or  another  expressive  model-based 
semantics.  Alternatively,  one  could  define  a  minimal-change  DELETE  operator, 
such  as  that  of  Fagin  et  al  [86];  however,  it  turns  out  that  a  minimal-change 
DELETE  cannot  really  have  a  model-based  semantics,  and  so  must  mark  a  con¬ 
siderable  departure  from  all  other  semantics  discussed  in  this  thesis.  Of  course, 
yet  some  other  hybrid  approach  is  also  possible.  In  any  case,  we  conclude  that  a 
little  syntactic  element — name-dropping — can  be  useful  in  update  semantics. 

Interestingly,  the  Update  Algorithm  is  sufficiently  general  to  serve  under 
the  minimal-change  semantics  (and  other  choices  of  semantics  as  well)  simply  by 
altering  the  formula  of  Step  4.  Recall  that  in  Step  4  of  the  Update  Algorithm 
using  the  standard  semantics, 

(f~H(f,U))V  ((*)»„  A  \/  a)  (2) 

<t€£ 

is  added  to  T'  for  every  datom  /  of  T'  that  unifies  with  an  atom  of  u>.  If  the 
current  update  is  INSERT  Emp(Reid,  EE)  V  Emp(Reid,  CSD)  WHERE  T  and  there 
axe  no  Skolem  constants  in  T,  then  this  means  that  T'  gets  the  two  new  wffs 

(Emp(Reid,  EE)  «-»  H (Emp(Reid,  EE),  U))  V  (T  A  T) 

(Emp(Reid,  CSD)  ~  H( Emp(Reid,  CSD),  U))  V  (T  A  T), 

both  of  which  are  logically  equivalent  to  T.  To  move  to  the  minimal-change 
semantics,  one  needs  to  add  the  two  wffs 

(Emp(Reid,  EE)  «-+  ff(Emp(Reid,  EE),  U))V 
(-tf(Emp(Reid,  EE),tf)  A  ^ff(Emp(Reid,  CSD),tf)  A  -.Emp(Reid,  CSD)) 
(Emp(Reid,  CSD)  «->  tf(Emp(Reid,  CSD),  U))V 
(->fT(Emp(Reid,  EE),  U)  A  ^fT(Emp(Reid,  CSD),  U)  A  -Emp(Reid,  EE)). 

These  formulas  say  that  the  truth  valuation  of  Emp(Reid,  EE)  can  only  change  in 
an  alternative  world  if  Reid  is  in  neither  department  before  the  update  and  Reid  is 
not  in  CSD  in  that  alternative  world  after  the  update.  If  Emp(Reid,  EE)  and/or 
Emp(Reid,  CSD)  are  already  true  in  an  alternative  world,  then  they  remain  true 
there;  and  otherwise,  Reid  is  put  into  exactly  one  of  those  two  departments. 

In  the  general  case,  formula  (2)  needs  to  contain  extra  terms  that  axe 
true  exactly  when  /  is  part  of  a  set  of  minimal  changes  that  makes  u  true  in  an 
alternative  world.  To  capture  those  states,  let  vu  be  a  truth  valuation  for  all  the 
atoms  of  oj.*  Unfortunately,  when  Skolem  constants  occur  in  w,  knowing  vu  may 

t  A  truth  valuation  v  can  be  written  in  wff  form  as  the  conjunction  of  T  and  a  set  of 
literals,  such  that  the  atom  a  is  a  conjunct  of  v  in  wff  form  iff  a  receives  the  truth  valuation  T 
under  v,  and  ->o  is  a  conjunct  of  v  in  wff  form  iff  a  receives  the  truth  valuation  F  under  v. 
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not  be  sufficient  to  determine  the  minimal  changes  needed  to  make  w  true  in  an 
alternative  world  A  satisfying  vu.  In  particular,  if  two  datoms  of  u  unify  with  one 
another,  additional  information  may  be  needed,  as  the  following  example  shows. 

Example.  Consider  the  update  INSERT  R(a)V(R(e)AR(b ))  WHERE  T,  ap¬ 
plied  to  a  theory  with  empty  body.  If  e  is  not  a,  then  one  minimal  change  that 
will  make  u>  true  is  to  make  both  R(e)  and  R(b)  true.  If  e  is  a,  however,  then  this 
is  not  a  minimal  change,  as  making  just  R(e)  true  will  satisfy  u>.  0 

For  this  reason,  one  must  know  exactly  which  datoms  in  u  unify  with 
one  another  in  A  before  attempting  to  determine  the  minimal  changes  needed  in 
A.  To  that  end,  let  PossUnif(u>)  be  the  set  containing  T  and  all  most  general 
substitutions  a  under  which  a  datom  of  u  unifies  with  another  datom  of  u>;  and 
let  Unif(w)  be  any  satisfiable  truth  valuation  of  all  the  atoms  in  PossUnif(w). 

Example.  Again  consider  the  update  U :  INSERT  R(o)V(R(e)AR(b)')  WHERE 
T.  PossUnif(cj)  contains  the  formulas  T,  e=b,  and  e=a.  The  possible  values  for 
Unif(u>)  are  e=b  A  e^a,  e^b  A  e=a,  and  ej^b  A  e£a.  t) 

As  explained  above,  Vu,AUnif(a>)  includes  all  the  information  about  an 
alternative  world  that  is  needed  to  compute  the  minimal  sets  of  changes  in  that 
world  that  will  make  u>  true  there.  We  now  need  to  identify  those  minimal  sets. 
Given  a  satisfiable  AUnif(u;),  let  Stable(t?w,  Unif(u;))  be  a  subset  of  the  truth 
valuations  of  vw  such  that 

(1)  If  is  created  from  vw  by  negating  the  truth  valuations  of  all  datoms  of  vu 

except  members  of  Stable(uw,  Unif(w)),  then  u  is  true  under  v£,AUnif(u>); 

(2)  No  proper  superset  of  Stable(vw,  Unif(u;))  within  uw  has  property  (1). 

Then  Stable(uu),  Unif(w))  exactly  characterizes  a  legal  minimal-change  transition 
for  A,  by  pinpointing  a  maximal  subset  of  the  datoms  of  u>  that  can  retain  their 
current  truth  valuations  when  uj  is  made  true.  Let  StableSets(vw,  Unif(u;))  be  the 
set  containing  all  choices  of  Stable(uw,  Unif(u;)).  A  simple  algorithm  for  finding 
StableSets(uw,  Unif(u>)),  called  full  reduction,  is  given  in  Section  8.4  and  proven 
correct  in  Theorem  8-13. 

Example.  Again  consider  the  update  INSERT  R(a)\/(R(e)AR(b))  WHERE 
T.  There  are  eight  possible  values  for  t;^;  not  all  of  them  are  satisfiable  given 
Unif(u>).  We  show  StableSets(->fl(a)A~'iZ(6)A-'ii(e),  Unif(u>))  for  each  value  of 
Unif(w). 

Unif(u>)  StableSets(-'i?(a)A-'i?(6)A-'i?(e),  Unif(u;)) 

f4A^a  R(a),  R(b)AR(e) 

ej^b  A  e=a  R(b) 

e^b  A  e^a  R(a),  R(b)AR(e)  O 
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The  set  of  all  legal  minimal-change  transitions  is  given  by  the  set  5a, 
which  contains  the  wff  AUnif(w)AStable(vu,,  Unif(u>)),  for  all  wffs  vu  and 

Unif(u>)  such  that  vwAUnif(u;)  is  satisfiable,  and  for  all  Stable(vta,,  Unif(w))  € 
StableSets(uw,  Unif(u>)).  For  technical  reasons,  5a  must  contain  the  wff  F  as  well. 
(Since  the  number  of  atoms  in  U  is  not  related  to  the  size  of  T  and  will  be  small, 
the  computation  of  5a  will  be  feasible  even  though  5a  may  be  of  size  exponential 
in  the  size  of  U.)  Intuitively,  each  member  of  5a  represents  a  minimal-change 
transition  from  one  alternative  world  (denoted  by  (vw)<rH  AUnif(u>))  to  another 
under  the  minimal-change  semantics. 

We  now  incorporate  5a  into  a  new  version  of  Step  4  of  the  Update  Algo¬ 
rithm  Version  I  that  implements  the  minimal-change  semantics: 

Step  4'.  Restrict  the  scope  of  the  update.  For  each  datom  /  in  <?h,  let  E 
be  the  set  of  all  most  general  substitutions  a  under  which  /  unifies  with  an  atom 
of  u>.  Add  the  wff 

(/«*(/, tr» v  («,.  *V(»*  V  r>)  <2') 

/*(>•)* 

to  T\  (By  /  £  (r)a  we  mean  that  /  is  not  a  subformula  of  (r)*.)  Intuitively, 
for  /  an  atom  that  might  possibly  have  its  truth  valuation  changed  by  update 
U,  formula  (2')  says  that  the  truth  valuation  of  /  can  change  only  in  a  model 
where  <f>  was  true  originally,  and  further  that  in  any  model  so  created,  /  must  be 
unified  with  an  atom  of  ui,  and  must  be  part  of  a  minimal  change  in  that  model 
to  make  u ;  true.  0 

Example.  For  the  update  INSERT  Emp(Reid,  EE)V  Emp(Reid,  CSD) 
WHERE  T  applied  to  a  theory  not  containing  Skolem  constants,  the  two  wffs  added 
in  Step  4'  axe 


(Emp(Reid,  EE)  ~  fT(Emp(Reid,  EE),  U))V 
(TA(TA  (FVFVFV 

(^ff(Emp(Reid,  EE),  U)A-ifT(Emp(Reid,  CSD),  U)ATA-’Emp(Reid,  CSD))))) 
(Emp(Reid,  CSD)  ~  Jf(Emp(Reid,  CSD),  U))V 
(TA(TA  (FVFVFV 

(->ff(Emp(Reid,  EE),  U)  A  -*H (Emp(Reid,  CSD),  U)  A  T  A  ->Emp(Reid,  EE))))). 


Theorem  7-3.  Given  an  extended  relational  theory  T  and  an  update 
U,  the  Update  Algorithm  Version  I,  with  Step  4  replaced  by  4',  correctly  and 
completely  performs  U  under  the  minimal-change  semantics.  0 

Proof  of  Theorem  7-3.  This  new  algorithm  produces  a  set  of  alternative 
worlds  that  is  a  subset  of  those  produced  by  the  Update  Algorithm  Version  I, 
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as  formula  (2')  logically  entails  formula  (2).  Therefore  the  proof  of  Theorem  4-1 
can  be  used  to  show  that  the  new  algorithm  is  correct  and  complete,  with  one 
exception:  Let  M4  be  a  model  produced  by  the  new  algorithm.  For  some  model 
M  of  T  such  that  World(A44)  e  Worlds(£/(At )),  we  must  show  that  there  is  no 
model  M'4  such  that  World(A4i)  €  Worlds(?7(Af ))  and  the  differences  in  datom 
truth  valuations  between  M\  and  M  are  a  proper  subset  of  the  differences  in 
datom  truth  valuations  between  At  and  Ad 4. 

Let  M4  be  a  model  of  T4  where  {4>)oB  is  true;  let  <r4  be  the  Skolem  constant 
substitution  for  Ad4  with  respect  to  T  and  U  \  and  let  Ad  be  defined  exactly  as 
in  the  proof  of  Theorem  4-1.  Let  g  be  a  null-free  datom  on  which  Ad  and  Ad4 
disagree  in  truth  valuation.  Then  g  is  a  subformula  of  (w)<r4*  Let  S  be  the  set 
of  datoms  /  in  u  and  T  such  that  (f)a4  is  g.  For  any  /G5,  by  formula  2'  there 
must  be  cr€S  such  that  <tA((vu)„b  AUnif(u;)AStable(vw,  Unif(u;)))  is  true  in  Ad4. 
It  follows  that  i>wAUnif(u;)  is  true  in  Ad.  But  in  any  model  where  vwAUnif(u;)  is 
true,  Stable(vw,  Unif(u;))  determines  a  minimal  change  in  that  model  that  will 
make  u>  true.  Since  Stable(vw,  Unif(w))  is  true  in  Ad4,  it  follows  that  Ad4  does 
constitute  a  minimal  change  from  Ad  to  make  u>  true.  0 

As  defined,  the  set  of  formulas  added  to  T'  in  Step  4'  will  always  have 
size  exponential  in  the  number  of  atoms  in  U.  More  precisely,  Step  4*  adds 
0(nk32*(k,+k^ (kk/2))  occurrences  of  atoms  to  T'  in  the  worst  case,  where  k  is 
the  size  of  the  update  and  n  is  the  maximum  number  of  datoms  in  T$  that  unify 
with  a  datom  of  w.  In  other  words,  the  size  increase  is  linear  in  the  number 
of  datoms  of  T  that  unify  with  datoms  of  w,  and  exponential  in  the  size  of  the 
update.  Though  a  size  increase  in  T  that  is  exponential  in  the  size  of  U  is 
unavoidable  in  the  worst  case,  this  estimate  is  greatly  exaggerated  for  the  typical 
theory  and  update.  For  example,  for  simple  u>  formulas  such  as  conjunctions 
and  disjunctions  of  literals,  a  much  smaller  size  increase — linear  and  quadratic, 
respectively,  in  the  size  of  U — is  possible  for  ground  theories  and  updates,  with 
commensurate  savings  when  Skolem  constants  are  present.' Therefore,  rather  than 
applying  the  worst— case  formulas  blindly  and  adding  their  instantiations  directly 
to  T,  a  heuristic  minimization  procedure — e.g.,  recognition  of  conjunctions  and 
disjunctions,  Karnaugh  mapping — should  be  applied  first  to  reduce  the  length  of 
the  formulas. 

Because  we  cannot  offer  as  efficient  an  algorithm  for  the  minimal-change 
semantics  as  for  the  standard  semantics,  and  because  it  will  be  more  difficult 
to  minimize  the  length  of  the  formulas  added  to  T,  we  conclude  that  the  extra 
effort  required  to  implement  minimal-change  semantics  is  not  worthwhile  unless 
the  semantics  of  the  application  call  for  a  minimal-change  semantics. 

7.3.  A  Spectrum  of  Candidate  Semantics 

Before  embarking  on  a  further  investigation  of  semantics,  it  will  be  helpful  to 
point  out  that  all  these  semantics  fall  into  a  broad  spectrum  ranging  from  the 
standard  semantics  on  one  end  to  variants  of  the  minimal-change  semantics  on 
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the  other.  For  example,  the  standard  semantics  has  the  most  lenient  rules  about 
which  alternative  worlds  fall  into  the  result  of  an  update;  any  way  of  making 
u;  true  will  do.  The  truth-maintenance  semantics  (to  be  presented  below)  rules 
out  a  number  of  these  models  as  containing  unacceptable  changes  in  truth  val¬ 
uations.  The  minimal-change  semantics  rules  out  even  more  of  these  models. 
One  can  easily  imagine  populating  the  hierarchy  with  ever  more  exotic  choices  of 
semantics. 

For  example,  consider  the  minimal-change  semantics.  The  definition  we 
gave  for  this  semantics  said  that  in  making  u?  true  in  an  alternative  world,  if 
one  set  of  changes  to  an  alternative  world  A  is  a  proper  subset  of  another  set  of 
changes,  then  the  latter  set  can  be  eliminated.  An  even  more  minimal  change 
can  be  obtained  by  requiring  the  sets  of  changes  to  have  the  minimum  possible 
cardinality,  instead  of  just  using  the  set /subset  relationship.  This  variant  is 
another  point  in  the  semantics  spectrum. 

As  another  variant,  perhaps  the  definition  of  minimal-change  semantics 
should  take  any  strictly  enforced  axioms  into  consideration.  The  quickest  route 
to  satisfying  u;,  i.e.,  the  minimal  sets  of  changes  in  an  alternative  world  that 
will  make  u?  true,  might  produce  only  alternative  worlds  that  violate  the  strict 
axioms. *  A  more  generous  set  of  changes  might  lead  to  a  viable  alternative  world. 

Another  point  in  the  semantics  spectrum  was  introduced  recently  by  We¬ 
ber  [86].  He  proposes  a  system  where  the  goal  is  to  preserve  as  many  truth 
valuations  as  possible  in  an  alternative  world  when  updating.  However,  if  there 
is  more  than  one  minimal  set  of  changes  that  will  make  a;  true  in  an  alternative 
world  A,  then  the  truth  valuations  of  ali  datoms  in  any  minimal  set  axe  allowed 
to  change.  This  is  a  most  interesting  choice,  and  one  unforeseen  by  this  author 
when  postulating  the  existence  of  spectrum  of  reasonable  semantics.  Given  a 
particular  update  U  under  Weber’s  semantics,  the  effect  of  U  may  vary  greatly 
depending  on  the  models  of  the  extended  relational  theory.  In  fact,  the  effect  can 
range  from  coinciding  with  the  minimal-change  semantics,  if  there  are  no  con¬ 
flicts  in  the  minimal  sets  of  changes  that  will  make  u;  true  in  various  alternative 
worlds;  to  coinciding  with  the  standard  semantics,  when  the  current  worlds  of 
the  theory  are  squarely  at  odds  with  the  new  information  in  o>. 

7 A.  The  Truth-Maintenance  Semantics 

It  will  perhaps  lend  additional  credence  to  the  claim  of  existence  of  a  spectrum  of 
reasonable  semantics,  and  also  of  the  flexibility  of  the  Update  Algorithm,  that  the 
majority  of  the  research  in  this  thesis  was  carried  out  with  a  semantics  other  than 
the  standard  semantics  in  mind.  The  truth-maintenance  semantics  corresponds 
to  the  author’s  original  intuitions  about  what  updates  should  mean;  she  was 
only  detached  from  this  semantics  after  proving  some  very  unpleasant  theorems 
about  update  equivalence  under  the  truth-maintenance  semantics  (see  Chapter 
8),  and  indeed  it  is  on  the  score  of  comprehensibility  that  the  truth-maintenance 

*  This  problem  does  not  arise  with  the  standard  semantics. 
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semantics  must  be  found  lacking.  We  begin  with  an  intuitive  justification  for  this 
semantics. 

Suppose  the  user  requests  an  insertion  of  aVfe,  where  a  and  b  are  datoms. 
What  effect  should  this  update  have  on  a  model  Ad  where  a  is  already  true?  In 
particular,  should  this  update  produce  any  model  where  a  is  false?  The  user  did 
not  mention  — >ot;  there  are  no  negation  signs  anywhere  in  this  update.  Is  there 
really  any  justification  for  making  a  false  in  any  models  produced  by  this  update? 
Since  a  appears  only  positively  in  the  update  is  it  not  correct  to  maintain  the 
current  truth  valuation  of  a? 

Definition.  A  null-free  datom  g  appears  positively  (resp.  negatively )  in  a 
null-free  wff  a  having  no  connectives  other  than  A,  and  V,  if  g  is  a  subformula 
of  a  rind  does  not  occur  governed  by  an  odd  (resp.  even)  number  of  negation 
signs.  0 

For  example,  g  does  not  appear  positively  or  negatively  in  gV~<g  or  /V->/, 
and  appears  positively  in  ->(/  A ->g).  It  is  easy  to  prove  that  if  w  is  satisfiable,  then 
it  is  satisfiable  with  a  truth  valuation  in  which  any  given  subset  of  the  datoms 
that  appear  positively  in  ui  receive  the  truth  valuation  T,  and  any  given  subset 
of  the  datoms  that  appear  negatively  in  u>  receive  the  truth  valuation  F: 

Proposition  7-1.  Let  a  be  a  ground  null-free  wff  with  no  connectives 
other  than  A,  V,  and  ->.  Let  v  be  a  truth  valuation  for  the  atoms  of  a  such  that  a 
is  true  under  v.  If  g  is  a  datom  in  a  that  appears  positively  (resp.  negatively)  in 
a  and  is  false  (resp.  true)  under  v,  then  there  exists  a  truth  valuation  v'  created 
from  v  by  negating  the  truth  valuation  of  g,  such  that  a  is  satisfied  under  v'.  0 

Proof  of  Proposition  7-1.  Put  a  into  conjunctive  normal  form;  this 
operation  will  not  affect  which  datoms  appear  positively  and  negatively  in  o. 
If  g  appears  positively  in  a,  then  changing  v  by  making  g  true  can  only  make 
additional  conjuncts  of  a  true,  and  o  will  still  be  satisfied.  If  g  appears  negatively 
in  a,  then  changing  v  by  making  g  false  can  only  make  additional  conjuncts  of  a 
true,  and  a  will  still  be  satisfied.  0 

According  to  the  intuitive  justification  given  earlier,  if  g  appears  positively 
(resp.  negatively)  in  u>  and  g  is  true  (resp.  false)  in  Ad,  then  the  truth  valuation 
of  g  should  not  be  changed  by  inserting  u>  into  Ad. 

We  now  present  formal  definitions  of  the  truth-maintenance  semantics  for 
updates.  Let  U  be  an  update  and  let  Ad  be  a  model  of  an  extended  relational 
theory  T  with  Skolem  constant  substitution  o  with  respect  to  u>.  Then  U(M) 
contains  just  Ad  if  <t>  is  false  in  Ad.  Otherwise,  U(M)  contains  exactly  every 
model  Ad'  with  the  same  universe  and  mappings  as  Ad,  such  that 
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(1)  M'  agrees  with  M  on  the  truth  valuations  of  all  null-free  atoms  except 
possibly  those  in  (u;)*;  and 

(la)  If  a  datom  g  appears  positively  in  (w)«r,  then  if  g  is  true  in  M,  g  is 
also  true  in  and 

(lb)  If  a  datom  g  appears  negatively  in  (u)<T,  then  if  g  is  false  in  M,  g  is 
also  false  in  M'\  and 

(2)  u>  is  true  in  M ' .  0 

As  usual,  Worlds(T')  =  U^eModels(T)  Worlds (U(M)). 

Skolem  constants  complicate  matters  a  bit.  One  cannot  tell  whether  R(a ) 
appears  positively  in  R(a)V->R(e)  until  one  knows  whether  e  is  equal  to  a.  In 
general,  to  decide  whether  a  datom  g  appears  positively  or  negatively  in  a  wff  a, 
one  must  specify  exactly  which  of  the  possible  unifications  within  a  involving  g 
Eire  true.  If  v  is  a  wff  telling  exactly  which  of  these  unifications  are  true,  such  as 
e=a  or  e^a  in  the  current  example,  then  one  can  determine  whether  g  appears 
positively  or  negatively  in  a  given  v.  For  example,  R(a)  appears  positively  in 
R(a)A->R(e)  given  e^a,  and  R(a )  appears  neither  positively  nor  negatively  in 
R(a)A-iR(e)  given  e=a. 

As  with  the  minimal-change  semantics,  the  Update  Algorithm  Version  I 
need  be  altered  only  slightly  to  implement  the  truth-maintenance  semantics.  The 
only  change  is  in  formula  (2)  in  Step  4,  which  must  be  split  into  three  separate 
cases: 

Step  4".  Restrict  the  scope  of  the  update.  For  each  datom  /  in  <jh,  let  E 
be  the  set  of  all  most  general  substitutions  a  under  which  /  unifies  with  an  atom 
of  u).  Let  Vz  be  the  set  containing  all  satisfiable  wffs  v,  where  v  is  the  conjunction 
containing  a  conjunct  a  or  -><j  for  every  substitution  <t€E.  Add  the  wff 

(/  ~  HU,  10)  V  ((«„  A  V  (»  A  ’•))  (2") 

t>€  Vj- 


to  T',  where  r  is  defined  as 

{H(f,  U),  if  /  appears  negatively  in  u  given  v; 

U),  if  /  appears  positively  in  u  given  v; 

T,  otherwise.  0 

Example.  Let  T  be  an  extended  relational  theory  not  containing 
Skolem  constants,  and  let  U  be  INSERT  ->Emp(Reid,  CSD)VEmp(Reid,  e)  WHERE 
T.  Then  Step  4'  produces  the  two  wffs 

(Emp(Reid,  CSD)  ~  tf(Emp(Reid,  CSD),U))V 
(T  A  ((e  =  CSD  A  T)  V  (e  #  CSD  A  H( Emp(Reid,  CSD),  U)))) 
(Emp(Reid,  e)  «-►  ff(Emp(Reid,  e),l/))V 
(T  A  ((e  =  CSD  AT)V(e?4  CSD  A  ~^H(  Emp(Reid,  e),  U)))).0 
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Theorem  7-4.  Given  an  extended  relational  theory  T  and  an  update 
U,  the  Update  Algorithm  Version  I,  with  Step  4  replaced  by  4",  accomplishes  U 
under  the  truth-maintenance  semantics.  <C> 

Proof  of  Theorem  7-4.  This  new  algorithm  produces  a  set  of  alternative 
worlds  that  is  a  subset  of  those  produced  by  the  Update  Algorithm  Version  I, 
since  formula  (2")  logically  entails  formula  (2).  Therefore  the  proof  of  Theorem 
4-1  can  be  used  to  show  that  the  new  algorithm  is  correct,  with  one  exception: 
if  is  a  model  produced  by  the  new  algorithm,  we  must  show  that  M 4  obeys 
rules  la  and  lb  in  the  truth-maintenance  semantics.  Let  M4  be  a  model  of 
T4  where  (4>)OB  is  true;  let  <t4  be  the  Skolem  constant  substitution  for  M  with 
respect  to  T  and  17;  and  let  M  be  defined  exactly  as  in  the  proof  of  Theorem  4-1. 
If  g  is  a  datom  that  appears  positively  in  (w)<r4 ,  then  g  also  appears  positively 
in  for  some  <tGE.  Therefore  by  formula  2",  if  g  has  the  same  truth 

valuation  in  M  as  in  M4  then  rules  la  and  lb  are  satisfied  by  M4.  If  g  has  a 
different  truth  valuation  in  M4  than  in  M,  then  by  formula  2",  H{g,  U )  must 
be  false  in  M4,  and  therefore  g  must  be  false  in  M.  In  this  case,  g  also  satisfies 
rules  la  and  lb.  Similarly,  if  g  is  a  datom  that  appears  negatively  in  (ur)^,  then 
g  also  appears  negatively  in  ((uj)#)^,  for  some  <r€S.  Therefore  by  formula  2",  if 
g  has  the  same  truth  valuation  in  M  as  in  M4  then  rules  la  and  lb  are  satisfied 
by  M4.  If  g  has  a  different  truth  valuation  in  M4  than  in  M,  then  by  formula 
2",  H(g,  U)  must  be  true  in  M4,  and  therefore  g  must  be  true  in  M.  Since  g 
satisfies  rules  la  and  lb,  we  conclude  that  World(.M4)  €  Worlds(U(Af )).  0 

We  conclude  this  section  by  analyzing  the  truth-maintenance  semantics 
in  the  same  framework  as  for  other  proposed  semantics.  First,  the  computational 
complexity  of  the  Update  Algorithm  for  the  truth-maintenance  semantics  is  no 
higher  than  for  the  standard  semantics  in  the  case  of  ground  updates  and  theories; 
when  Skolem  constants  are  present,  the  size  of  the  formulas  added  in  Step  4" 
depends  on  the  number  of  datoms  in  u>  that  unify  with  one  another.  If  there 
are  D  such  most  general  unifications,  then  0(k2°)  is  the  maximum  size  of  an 
instantiation  of  formula  2",  implying  that  in  the  worst  case  Step  4"  can  add 
0(nk2D)  occurrences  of  atoms  to  T\  D  can  be  as  large  as  (*)  (when  every 
datom  of  u>  unifies  with  every  other  datom  of  w). 

For  comprehensibility  and  intuition,  the  semantics  initially  scores  well;  but 
when  more  complicated  updates  are  contemplated  and  the  question  of  update 
equivalence  is  raised  (Chapter  8),  the  criteria  for  equivalence  are  more  complex 
than  we  find  ideal,  due  to  dependence  on  the  syntax  of  the  update. 

Theorem  7-5  shows  that  the  truth-maintenance  semantics  has  sufficient 
expressive  power. 


Theorem  7-5.  Let  T\  and  T?  be  extended  relational  theories  over  the 
same  language,  with  the  same  strict  axioms,  containing  disjoint  sets  of  Skolem 
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constants, *  such  that  T\  is  consistent.  Then  under  the  truth-maintenance  se¬ 
mantics,  there  exists  an  update  U  such  that  Worlds(£7(Ti))|D  =  Worlds^)  I'D, 
where  V  is  C  minus  the  Skolem  constants  appearing  in  T\ .  0 

As  for  other  aspects  of  expressive  power,  it  may  be  argued  that  the  defi¬ 
nition  of  positive  and  negative  presence  in  a  wff  should  be  more  strongly  related 
to  syntax  and  less  strongly  to  logical  implication.  For  example,  if  one  were  to 
request  the  insertion  of  the  exclusive-or  of  two  datoms  a  and  b,  is  it  intuitive  or 
desirable  that  a  and  b  do  not  appear  positively  in  u>? 

Before  the  proof  of  Theorem  7-5,  we  present  the  proof  of  Theorem  7-1, 
which  is  the  equivalent  of  Theorem  7-5  for  the  standard  semantics.  Both  proofs 
make  use  of  a  Reformat()  function  that  systematically  removes  all  history  atoms 
from  the  body  of  T,  when  that  body  is  expressed  as  a  conjunction  of  formulas 
B.  The  idea  is  to  remove  each  history  atom  h  from  B  by  replacing  B  by  (B)j-  V 
(B)1}?.  If  B  contains  no  Skolem  constants,  this  operation  preserves  the  alternative 
worlds  of  B.  If  B  contains  Skolem  constants,  then  the  truth  valuation  of  h  may 
determine  the  truth  valuation  of  other  datoms,  such  as  in  the  formula  H(e)  A 
e=c  A  -<H(c).  For  formulas  such  as  this,  till  unifications  of  h  with  atoms  of  B 
must  be  taken  into  account  before  h  is  replaced  by  a  truth  value. 

Definition.  Let  a  be  a  ground  wff,  and  let  T  be  an  extended  relational 
theory.  Then  Reformat(a )  is  the  wff  0  formed  from  a  by  the  following  procedure: 

1.  Initialize.  Set  0  to  be  a. 

2.  Repeat.  If  0  contains  no  history  atoms,  then  the  procedure  terminates. 

3.  Remove  a  history  atom.  Let  h  be  a  history  atom  in  0.  Let  E  be  the  set 
of  most  general  unifications  under  which  h  unifies  with  an  atom  of  0,  and 
let  5  be  the  power  set  of  E.  Replace  0  by  the  formula 

V(A<tAA-,<tA  t“  v 

a€S  »€£ 

where  hi  through  hn  axe  the  atoms  in  0  that  unify  with  h  under  a  most  general 
substitution  a  in  s.  Go  back  to  step  2.  0 

Proof  of  Theorem  7-1.  Let  U  be  the  update 
INSERT  /\gzTl(gV->g)  A  Reformat (B)  WHERE  T, 

where  g  ranges  over  the  datoms  of  T\  and  B  is  the  conjunction  of  all  the  formulas 
in  the  body  of  7j.  The  first  conjunct  of  u>  establishes  that  every  datom  in  T\ 
can  change  its  truth  valuation.  From  this  and  the  second  conjunct,  the  theorem 
will  follow  if  we  can  show  that  7^',  the  extended  relational  theory  with  body 

t  This  restriction  is  needed  to  avoid  naming  conflicts;  if  it  is  violated,  rename  the  Skolem 
constants  of  one  of  the  theories  before  testing. 


110 


Reformat(B),  has  the  same  alternative  worlds  as  72.  Assume  without  loss  of 
generality  that  the  body  of  72  is  the  single  formula  B. 

We  first  show  that  models  of  72  axe  also  models  of  7^'.  Suppose  that  M. 
is  a  model  of  72  but  not  of  7^'.  Then  B  is  true  in  M.  but  Reformat(B)  is  false  in 
M. 

Let  s  be  the  maximal  member  of  S  such  that  all  the  substitutions  a  in  s 
are  true  in  M.  Let  h  be  any  history  atom  in  B,  and  let  hi  through  h„  be  the 
atoms  of  B  with  which  h  unifies  under  substitutions  in  s.  Then  M.  is  a  model  of 
Atrga a  A  ~'cr-  Further,  if  h  is  true  in  M  then  Ad  is  a  model  of 

and  if  h  is  false  in  M  then  Ad  is  a  model  of  (B)£/p  .  Inducting,  we  conclude 

that  Reformat  (/?)  must  be  true  in  Ad,  a  contradiction. 

We  now  show  the  reverse  direction.  Suppose  that  there  is  an  alternative 
world  A  such  that  A  G  Worlds (7^')  but  A  Worlds^).  For  Ad  any  model  of  7^' 
with  alternative  world  A,  B  is  false  in  Ad.  We  will  construct  a  particular  choice 
of  Ad  from  A  by  iteratively  adding  history  atom  truth  assignments  to  A.  We  will 
choose  these  truth  assignments  by  running  the  Reformat()  procedure  backward. 
Initially,  let  Ad  contain  just  the  truth  assignments  and  mappings  given  in  A. 

Let  s  be  the  maximal  member  of  5  such  that  all  the  substitutions  a  in 
s  are  true  in  Ad.  Then  Ad  is  a  model  of  A<re«  a  A  A'|E  ~'<r-  Let  h  be  the  last 

history  atom  in  B  to  be  replaced  by  the  Reformat()  procedure,  and  let  f3  be  the 
partially  reformatted  version  of  B  right  before  h  is  removed.  Let  hi  through  hn 
be  the  atoms  of  /?  with  which  h  unifies  under  a.  Reformat(B)  is  true  in  Ad; 
therefore  either  or  f"  true  in  Ad.  If  the  former  disjunct  is 

true,  assign  T  to  h  in  Ad;  otherwise,  make  h  false  in  Ad.  Then  Ad  satisfies  /?. 

Inducting,  we  conclude  that  Ad  must  be  a  model  of  B  and  72,  a  contra¬ 
diction.  We  conclude  that  all  models  of  7^'  are  models  of  72,  and  that  7i  and 
have  the  same  alternative  worlds.  <C> 

Proof  of  Theorem  7-5.  Let  U  be  the  update 
INSERT  A jerAsV-'ff)  A  A A  Reformat(B)  WHERE  T, 
where  g  ranges  over  the  datoms  of  T\  and  72.  Then  no  datom  appears  positively 
or  negatively  in  U,  and  the  remainder  of  the  proof  follows  from  the  proof  of 
Theorem  7-1.  0 

7.5.  Summary  and  Conclusion 

In  this  chapter  we  identified  a  spectrum  of  possible  update  semantics,  ranging 
from  the  standard  semantics  at  one  extreme  to  variants  of  the  minimal-change 
semantics  on  the  other.  We  showed  how  the  Update  Algorithm  was  easily  adapted 
to  other  choices  of  semantics  by  changing  the  formula  of  Step  4. 

Unless  the  semantics  of  the  application  dictate  otherwise,  we  find  the  stan¬ 
dard  semantics  to  be  preferable  to  the  minimal-change  semantics  for  two  reasons: 
First,  a  separate  type  of  update  is  needed  under  the  minimal-change  semantics  in 
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order  to  move  from  a  situation  with  more  knowledge  to  a  situation  with  less.  For 
example,  under  the  minimal-change  semantics  one  ran  not  directly  observe  that 
the  truth  valuation  of  a  fact  is  now  unknown,  since  formulas  such  as  Emp(Reid, 
CSD)V->Emp(Reid,  CSD)  are  already  true  in  all  models  of  any  extended  rela¬ 
tional  theory.  The  new  type  of  update  could  have  the  standard  semantics,  a 
non-model-based  minimal-change  semantics,  or  some  hybrid  semantics. 

Second,  the  Update  Algorithm  is  more  expensive  under  the  minimal- 
change  semantics:  in  executing  a  minimal-change  update,  the  size  of  T  may 
increase  by  a  number  of  atoms  that  is  exponential  in  the  size  of  the  update.  This 
is  true  even  though  the  alternative  worlds  produced  by  the  minimal-change  se¬ 
mantics  are  always  a  subset  of  those  that  would  be  produced  by  the  standard 
semantics:  the  subset  is  more  difficult  to  characterize  them  the  set  as  a  whole. 
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Chapter  8:  Equivalence  of  Updates 


Chapter  7  delved  into  the  properties  of  a  variety  of  semantics:  the  stan¬ 
dard  semantics,  defined  in  Chapter  3;  the  minimal-change  semantics,  a  subset  of 
which  was  used  by  DeKleer  [85]  and  Reiter  [85];  Weber’s  semantics  [Weber  85]; 
and  the  truth-maintenance  semantics.  One  of  the  criteria  for  choosing  a  seman¬ 
tics  for  updates,  as  discussed  in  Chapter  7,  is  update  comprehensibility:  a  user 
should  be  able  to  look  at  an  update  and  understand  what  the  update  will  do. 
Though  a  qualitative  discussion  of  the  merits  of  different  choices  for  semantics 
is  indispensable,  we  have  found  that  theorems  on  equivalence  of  updates  also  go 
a  long  way  toward  exposing  the  peculiarities  of  a  particular  choice  of  semantics. 
Such  theorems  tell  exactly  whether  two  updates  look  similar  but  really  aren’t, 
and  whether  two  different-looking  updates  really  are  the  same;  they  provide  an 
impassionate  demonstration  of  the  properties  of  different  semantics.  Equivalence 
theorems  can  be  used  to  evaluate  how  well  a  given  semantics  meets  intuition:  if 
a  pair  of  updates  should  be  the  same  according  to  intuition,  but  an  equivalence 
theorem  says  that  they  are  different  (or  vice  versa),  then  the  discrepancy  can  be 
registered  as  a  mark  against  that  semantics. 

Section  8.1  of  this  chapter  includes  a  set  of  semantics-independent  theo¬ 
rems  on  update  equivalence.  These  theorems  will  simplify  the  proofs  of  subse¬ 
quent  sections,  and  demonstrate  patterns  that  recur  across  a  wide  class  of  seman¬ 
tics.  Section  8.1  shows  that  strict  axioms  can  be  eliminated  from  consideration 
when  considering  update  equivalence  for  a  broad  class  of  semantics;  Section  8.2 
does  the  same  for  Skolem  constants.  Section  8.3  includes  theorems  exactly  char¬ 
acterizing  when  two  updates  are  equivalent  under  the  standard  semantics,  and 
Sections  8.4  and  8.5  do  the  same  for  the  minimal-change  and  truth-maintenance 
semantics,  respectively.  We  begin  by  defining  update  equivalence. 

Definitions.  If  U\  and  U2  are  two  updates  over  a  language  £,  then  U\  and 
U2  are  equivalent  if  for  every  extended  relational  theory  T  over  £,  Worlds(f7i(T)) 
=  Worlds(l/2(T)).  U\  and  U2  are  equivalent  with  respect  to  a  model  M  of  T  if 
Worlds(Lri(A/l))  =  Worlds(£/2(A'0).  Ui  and  U2  are  equivalent  with  respect  to  an 
extended  relational  theory  T  if  Worlds(f/i(T))  =  Worlds(f/’2(T)). 

8.1.  Semantics-Independent  Theorems  on  Update  Equivalence 

This  section  includes  theorems  on  update  equivalence  that  are  in  large  part  in¬ 
dependent  of  the  choice  of  semantics  for  updates.  The  goal  of  this  section  is  to 
build  up  general  principles  for  use  in  attacking  the  update  equivalence  problem. 
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In  particular,  we  will  develop  a  technique  for  reducing  the  question  of  equiva¬ 
lence  of  updates  with  different  selection  clauses  <p  to  the  case  of  a  single  selection 
clause;  eliminate  the  need  to  consider  extended  relational  theories  with  strict 
axioms  when  investigating  equivalence;  and  suggest  a  methodology  for  deriving 
theorems  about  update  equivalence. 

The  standard,  minimal-change,  and  truth-maintenance  semantics  are  all 
members  of  the  larger  class  of  semantics  under  consideration  in  this  section.  This 
class  is  composed  of  those  semantics  that  satisfy  a  set  of  five  basic  properties.  In 
particular: 

(1)  These  semantics  must  be  defined  by  the  alternative  worlds  an  update 
produces  when  applied  to  the  individual  alternative  worlds  of  an  extended 
relational  theory; 

(2)  For  any  update  U  applied  to  an  extended  relational  theory  T  over  a  lan¬ 
guage  C,  there  must  exist  another  extended  relational  theory  T'  over  C 
such  that  Worlds(T')  =  Worlds (U(T)); 

Property  (2)  ensures  that  updates  map  extended  relational  theories  to 
extended  relational  theories  under  any  semantics  in  this  class. 

(3)  If  two  updates  U\  and  U2  over  C  are  equivalent,  then  they  must  be  equiv¬ 
alent  over  all  extensions  of  £. 

Property  (3)  ensures  that  the  semantics  does  not  include  explicit  tests  for 
whether  specific  constants  are  in  C. 

Properties  (4)  and  (5)  are  a  bit  more  complicated;  their  intent  is  to  ensure 
that  the  effect  of  any  update  U  on  a  model  M  of  an  extended  relational  theory 
T  is  independent  of  the  other  models  of  T.  More  formally: 

(4)  If  M  is  a  model  of  two  extended  relational  theories  T\  and  7-j  without 
strict  axioms,  then  U(M)  must  be  the  same  regardless  of  whether  7j  or 
T2  is  being  updated. 

Weber’s  semantics  fails  to  satisfy  basic  property  (4):  Weber’s  semantics 
examines  every  model  of  T  before  deciding  what  the  effect  of  an  update  should 
be. 

(5)  For  two  models  M\  and  M2  of  an  extended  relational  theory  T  and  any 
update  U,  if  Mi  and  M2  agree  on  the  truth  valuations  of  all  datoms  and 
equality  atoms,  then  U(Mi)  =  U(M2)- 

Property  (5)  says  that  when  two  models  “represent”  the  same  complete- 
information  database,  an  update  will  affect  them  identically. 

Properties  (1)  and  (4)  together  ensure  that  although  update  syntax  may 
be  important  for  a  semantics  in  this  class,  syntax  does  not  play  a  role  in  the 
bodies  of  extended  relational  theories:  if  two  extended  relational  theories  have 
the  same  axioms,  then  they  will  have  identical  sets  of  alternative  worlds  after  a 
series  of  updates  under  any  semantics  in  this  class  if  the  bodies  of  the  two  theories 
are  logically  equivalent.  Properties  (4)  and  (5)  also  have  ramifications  for  update 
equivalence  testing: 
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Theorem  8-1.  Two  null-free  updates  U\  and  Ui  axe  equivalent  iff  for  all 
models  Ad  of  extended  relational  theories,  U\  and  Ui  are  equivalent  with  respect 
to  Ad.  ^ 


Proof  of  Theorem  8-1.  To  show  that  this  condition  is  sufficient  for 
equivalence,  note  that  if  U\  and  U2  are  equivalent  with  respect  to  every  model 
of  an  extended  relational  theory  T,  then  they  must  be  equivalent  with  respect  to 
T. 

To  show  that  this  condition  is  necessary  for  equivalence,  suppose  that  U\ 
and  Ui  are  equivalent,  but  for  some  model  Ad  of  an  extended  relational  theory 
T,  Worlds (Ui( M))  7^  Worlds(t/2(-M)).  By  basic  property  (3),  XJ\  and  U2  must 
be  equivalent  with  respect  to  (T)„,  where  a  is  the  Skolem  constant  substitution 
for  Ad  with  respect  to  T.  Then  Ad  is  a  model  of  (T)ff,  and  Worlds([/i(Ad))  ^ 
Worlds(?72(Ad)).  But  any  other  model  Ad'  of  {T)a  agrees  with  Ad  on  the  truth 
valuation  of  all  atoms,  and  therefore  by  basic  property  (5),  Ui  and  U2  are  not 
equivalent  with  respect  to  {T)a,  a  contradiction.  0 

Some  of  the  theorems  presented  in  this  section  only  apply  to  semantics 
that  meet  additional,  less  basic  criteria: 

Pi.  The  Irrelevance  Principle.  Let  Ad  be  a  model  of  an  extended  rela¬ 
tional  theory,  and  let  U  be  the  update  INSERT  u  WHERE  F.  Then  Worlds(f7(Ad)) 
=  {World(Ad)}. 

P2.  The  (f>- Independence  Principle.  Given  the  two  updates  INSERT  u> 
WHERE  <f>  1  and  INSERT  u>  WHERE  <f> 2,  if  4>i  and  <f> 2  are  both  true  in  a  model  Ad, 
then  these  two  updates  axe  equivalent  with  respect  to  Ad. 

Principle  Pi  says  that  an  update  with  selection  clause  F  does  not  change 
the  alternative  world  of  any  model  to  which  it  is  applied.  Principle  P2  ensures 
that  4>  does  not  have  any  effect  on  the  outcome  of  the  update  other  them  deter¬ 
mining  the  alternative  worlds  in  which  changes  can  take  place. 

Proposition  8-1.  The  standard,  minimal-change,  and  truth-maintenance 
semantics  satisfy  principles  PI  and  P2.  0 

Proof  of  Proposition  8-1.  Left  to  the  reader.  ^ 

The  following  theorem  will  motivate  a  strategy  of  attack  for  proving  update 
equivalence  under  a  variety  of  semantics. 

Theorem  8-2.  Let  U\  through  U4  be  null-free  updates  under  a  semantics 
that  satisfies  principles  PI  and  P2: 
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U2:  INSERT  ui\  WHERE  <p, 

U2:  INSERT  u>2  WHERE  <f>, 

U3:  INSERT  u>i  WHERE  ip, 

U4:  INSERT  u2  WHERE  ip. 

If  ip  logically  entails  <p  and  U\  and  U2  are  equivalent,  then  U3  and  U. 4  are  equiv¬ 

alent.  0 


Proof  of  Theorem  8-2.  Let  T  be  an  extended  relational  theory  and  M 
a  model  of  T.  If  rp  is  false  in  M,  then  by  principles  PI  and  P2,  U3  and  U4  are 
equivalent  with  respect  to  M. 

If  xp  is  true  in  M,  then  <p  is  also  true  in  M.  It  follows  by  principle  P2 
that  U\  and  U3  are  equivalent  when  applied  to  M.  Similarly,  U2  and  U4  must 
be  equivalent  with  respect  to  M.  By  Theorem  8-1,  it  follows  that  U3  and  U4  are 
equivalent  with  respect  to  M.  We  conclude  that  U3  is  equivalent  to  C/4.  <C> 

The  value  of  Theorem  8-2  is  that  it  provides  a  necessary  condition  for 
two  updates  U\  and  U2  with  selection  clause  <p  to  be  equivalent:  For  every  truth 
valuation  v  of  all  the  atoms  of  <p  under  which  <p  is  satisfied,  INSERT  u>i  WHERE 
ft  and  INSERT  u2  WHERE  v  must  be  equivalent.  Theorem  8-3  shows  that  these 
conditions  are  both  necessary  and  sufficient. 

Theorem  8-3.  Let  TJ\  and  U2  be  two  null-free  updates  with  semantics 
that  satisfy  principles  PI  and  P2: 

Ui :  INSERT  u>2  WHERE  <p, 

U2:  INSERT  u2  WHERE  <p. 

Then  U\  and  U2  are  equivalent  iff  for  all  truth  valuations  t;  for  all  the  atoms  of 
<p  such  that  <p  is  satisfied  under  v,  INSERT  u\  WHERE  v  is  equivalent  to  INSERT  u2 
WHERE  v.  0 

When  threshing  out  theorems  on  update  equivalence,  Theorem  8-3  sug¬ 
gests  that  the  most  fruitful  strategy  may  be  to  first  concentrate  on  updates  where 
<p  is  a  conjunction  of  literals.  Theorems  8-12  and  8-16  show  this  technique  in  use 
for  the  minimal-change  and  truth-maintenance  semantics,  respectively. 

Proof  of  Theorem  8-3.  The  necessity  of  this  condition  is  shown  by 
Theorem  8-2.  For  sufficiency,  suppose  that  Ui  and  U2  satisfy  this  condition  but 
are  not  equivalent.  Then  U\  and  U2  produce  different  sets  of  alternative  worlds 
when  applied  to  some  extended  relational  theory  T.  In  particular,  they  must 

t  A  truth  valuation  v  can  be  written  in  wff  form  as  a  conjunction  of  literals,  such  that 
the  atom  a  is  a  conjunct  of  v  in  wff  form  iff  a  receives  the  truth  valuation  T  under  v,  and  ->a 
is  a  conjunct  of  v  in  wff  form  iff  a  receives  the  truth  valuation  F  under  v. 
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produce  different  sets  of  alternative  worlds  when  applied  to  some  model  M  of 
T.  By  principle  Pi,  this  implies  that  4>  is  true  in  M.  But  given  that  <j>  is  true,  by 
principle  P2  the  effect  of  U\  and  U2  on  M  is  independent  of  <f>,  and  must  be  the 
same  as  the  effect  on  At  of  INSERT  u>\  WHERE  v  and  INSERT  L02  WHERE  v,  where 
v  is  the  truth  valuation  in  At  of  the  atoms  of  4>.  Since  these  two  updates  are 
equivalent  by  definition,  by  Theorem  8-1  they  are  equivalent  with  respect  to  At. 
It  follows  that  Ui  and  U2  must  be  equivalent  with  respect  to  At,  and  therefore 
U\  and  U2  must  be  equivalent.  0 

The  next  theorem  shows  that  it  suffices  to  consider  only  extended  rela¬ 
tional  theories  without  strict  axioms  when  checking  update  equivalence.  Strict 
axioms  were  introduced  for  the  standard  semantics  in  Chapter  6;  Principle  P3 
extends  that  definition  to  other  choices  of  semantics. 

Principle  P3.  The  Strict  Axiom  Principle.  Let  T  be  an  extended  rela¬ 
tional  theory  without  strict  axioms,  and  let  a  be  a  set  of  strict  axioms.  Then  for 
any  update  U, 


Worlds)  U(T  +  a))  =  Worlds(  (J  U(M)  D  Models(a)).  0 

M€(M  odels(T)nM  odcls(a)) 


In  other  words,  the  sole  effect  of  strict  axioms  on  update  semantics  is  the 
requirement  that  the  strict  axioms  be  satisfied  by  every  model  to  which  U  is 
applied  and  by  every  model  produced  by  U. 

Theorem  8-4.  Two  updates  U\  and  U2  under  a  semantics  satisfy¬ 
ing  principle  P3  axe  equivalent  iff  U\  and  U2  axe  equivalent  with  respect  to  all 
extended  relational  theories  without  strict  axioms.  0 

Proof  of  Theorem  8-4.  If  TJ\  and  U2  are  equivalent  when  applied  to  ex¬ 
tended  relational  theories  with  strict  axioms,  then  they  must  be  equivalent  when 
applied  to  extended  relational  theories  without  strict  axioms,  as  these  constitute 
a  proper  subset. 

Suppose  now  that  Ui  and  U2  are  equivalent  with  respect  to  any  extended 
relational  theory  without  strict  axioms,  but  axe  not  equivalent  with  respect  to 
some  theory  T  that  contains  strict  axioms.  Let  At  be  a  model  of  T.  Let  T'  be 
an  extended  relational  theory  formed  from  T  by  removing  the  strict  axioms  of  T. 
Let  X'  be  a  model  identical  to  At;  then  At'  is  a  model  of  T\  By  Theorem  8-1, 
since  Ui  and  U2  are  equivalent  with  respect  to  T',  they  must  be  equivalent  with 
respect  to  M' .  But  then  by  principle  P3,  U\  and  U2  must  be  equivalent  with 
respect  to  At,  because  Worlds  (L’i  (.VI))  =  Worlds) U\ ( At ' )  n  Worlds(Models(o'))), 
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and  similarly  for  Ui.  We  conclude  that  it  suffices  to  consider  extended  relational 
theories  without  strict  axioms  when  proving  results  about  update  equivalence. 
0 


From  now  on,  the  statements  of  the  theorems  of  this  chapter  will  cover 
extended  relational  theories  both  with  and  without  strict  axioms,  but  the  proofs 
of  theorems  will  only  consider  extended  relational  theories  without  strict  axioms. 

For  a  pair  of  updates  U\  and  U2  with  selection  clauses  <j>  1  and  fa,  respec¬ 
tively,  one  could  easily  imagine  a  scenario  where  even  though  <f>  \  and  fa  were 
mutuall"  exclusive,  U\  just  happened  to  produce  exactly  the  same  sets  of  alter¬ 
native  v  rids  as  U2  did.  Fortunately,  Theorem  8-5  relegates  this  scenario  to  the 
realm  of  fantasy  for  semantics  that  satisfy  principles  PI  and  P2. 


Theorem  8-5.  Let  U\  through  U\  be  null-free  updates  under  a  semantics 
that  satisfies  principles  PI  and  P2: 

Un  INSERT  a>i  WHERE  <t>\, 

U2:  INSERT  uj2  WHERE  fa , 

U3 :  INSERT  u>i  WHERE  fa  A  fa, 

U4:  INSERT  io2  WHERE  fa  A  fa. 

Then  Ui  and  U2  are  equivalent  iff 

(1)  U3  and  C/4  axe  equivalent; 

(2)  If  faA~«t>2  is  true  in  a  model  M.  of  an  extended  relational  theory,  then 

Worlds {Jh(M))  =  {World(X)};  and 

(3)  If  faA-ifa  is  true  in  a  model  M  of  an  extended  relational  theory,  then 

Worlds(CC2(Af))  =  {World(Af)}.  0 

Proof  of  Theorem  8-5.  For  sufficiency,  since  U3  and  C/4  are  equivalent, 
it  follows  by  principle  P2  that  Ui  and  U2  are  equivalent  with  respect  to  any 
model  where  fa  A  fa  is  true.  With  respect  to  models  where  ->faA->fa  is  true,  by 
principle  PI,  U\  and  U2  again  are  equivalent.  For  models  where  fa  and  -'fa  or 
faA^fa  is  true,  conditions  (2)  and  (3)  and  principle  PI  guarantee  equivalence. 

For  necessity,  suppose  condition  (2)  is  violated  in  a  model  M  of  T.  Then 
by  principle  Pi,  Worlds(C/2(A4))  =  {World(Af)}.  By  Theorem  8-1,  for  U\  and 
U2  to  be  equivalent,  Worlds(C/j(Af))  must  be  {World(A'f)}.  We  conclude  that 
condition  (2)  is  necessary  and,  by  symmetry,  condition  (3)  as  well. 

Now  suppose  condition  (1)  is  violated.  Then  for  some  model  M  of  an 
extended  relational  theory  T,  fa  A  fa  is  true  in  M  and  U3  and  C/4  are  not 
equivalent  with. respect  to  M.  Then  by  principle  P2,  U\  and  U2  also  are  not 
equivalent  with  respect  to  M..  By  Theorem  8-1,  it  follows  that  condition  (1)  is 
necessary.  0 
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8.2.  Skolem  Constants  and  Update  Equivalence 

In  this  section  we  show  that  the  question  of  equivalence  for  updates  and  extended 
relational  theories  containing  Skolem  constants  can  be  reduced  to  the  question 
of  equivalence  for  null-free  updates  and  theories. 

First  we  show  that  it  suffices  to  consider  null-free  extended  relational 
theories  when  proving  update  equivalence,  for  all  semantics  that  satisfy  principle 
P4: 


P4.  The  Substitution  Principle.  Let  T  be  an  extended  relational  theory, 
and  let  U  be  the  update  INSERT  WHERE  <f>.  Let  E  be  the  set  of  Skolem  constant 
substitutions  <7  for  the  models  of  T.  Then 

Worlds(U(T))  =  (J  Worlds((U)<T((T)<T)).  0 

<r€£ 


Proposition  8-2.  The  standard,  minimal-change,  and  truth-maintenance 
semantics  satisfy  principle  P4.  0 

Proof  of  Proposition  8-2.  Left  to  the  reader.  0 

The  semantics  used  by  Abiteboul  and  Grahne  [85]  fails  to  satisfy  principle 
P4:  the  occurrence  of  a  Skolem  constant  in  an  update  is  not  tied  to  its  occurrence 
in  T  under  their  semantics. 

Theorem  8-6.  Under  a  semantics  satisfying  principle  P4  on  substitution, 
two  updates  U\  and  U2  over  a  language  £  are  equivalent  iff  they  are  equivalent 
when  applied  to  every  null-free  extended  relational  theory  over  £  or  an  extension 
of  £.  0 

Theorem  8-6  shows  that  even  when  Skolem  constants  appear  in  U\  and  U2, 
it  suffices  to  consider  equivalence  with  respect  to  theories  not  containing  Skolem 
constants. 

Proof  of  Theorem  8-6.  The  necessity  of  this  condition  follows  from 
basic  property  (2)  and  the  fact  that  extended  relational  theories  not  containing 
Skolem  constants  are  a  proper  subset  of  all  extended  relational  theories  over  £ 
and  extensions  of  £. 

For  sufficiency,  let  T  be  an  extended  relational  theory,  and  let  E  be  the  set 
of  Skolem  constant  substitutions  o  for  the  models  of  T.  Then  by  principle  P4, 
Worlds(Ui(T))  =  U,r€£  Worlds((UiV((T)<r)),  and  similarly  for  U2.  But  {T)„  is 
a  null-free  extended  relational  theory  over  £  or  an  extension  of  £,  so  by  definition 
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(Ui)a  and  (U2)a  are  equivalent  with  respect  to  (T)^.  It  follows  that  U\  and  U2 
are  equivalent  with  respect  to  every  extended  relational  theory.  <0> 

We  need  some  way  of  reducing  the  question  of  update  equivalence  for 
updates  containing  Skolem  constants  to  a  question  of  equivalence  of  a  null-free 
updates.  The  key  observation  is  that  it  suffices  to  consider  a  finite  set  of  sub¬ 
stitutions  a  for  the  Skolem  constants  of  the  updates,  as  long  as  the  semantics  is 
constant-independent ,  as  defined  in  principle  P5.  This  principle  and  the  follow¬ 
ing  theorem  make  use  of  a  new  variety  of  syntactic  replacement  called  a  constant 
swap.  A  constant  swap  is  a  simultaneous  syntactic  replacement  <7  of  one  set 
of  constants  by  another,  such  that  for  any  wff  a,  ((a)*)*  is  a.  For  example, 
is  a  typical  constant  swap,  one  that  replaces  all  occurrences  of  c  by  c'  and 
vice  versa.  Constant  swaps  differ  from  substitutions  in  that  all  replacements  are 
accomplished  simultaneously. 

P5.  The  Constant-Independence  Principle.  Let  U  be  a  null-free  update, 
and  let  T  and  T'  be  null-free  extended  relational  theories  such  that  Worlds(T') 
=  Worlds(£/(T)).  Let  a  be  a  constant  swap  over  any  extension  of  £.  Then 
Worlds((E0,((T)»))  =  Worlds((T')ff).  0 

The  idea  of  principle  P5  is  that  renaming  constants  in  T  and  U  and  then 
performing  U  should  be  equivalent  to  first  performing  U  and  then  renaming  the 
constants  in  the  resulting  theory.  This  is  very  similar  to  principle  P4,  but  with  a 
different  goal:  assuring  that  no  elements  in  the  universe  get  special  treatment  in 
the  semantics. 

Proposition  8-3.  The  standard,  minimal-change,  and  truth-maintenance 
semantics  satisfy  principle  P5.  0 

Proof  of  Proposition  8-3.  Left  to  the  reader.  0 

Theorem  8-7.  Let  U\  and  U2  be  updates  under  a  semantics  satisfying 
principles  P3,  P4,  and  P5: 

Ui:  INSERT  Wj  WHERE  <£, 

U2:  INSERT  u>2  WHERE  <f>. 

Suppose  that  U\  and  U2  contain  n  Skolem  constants.  Let  C  be  the  set  containing 
all  the  constants  of  Ui  and  U2  plus  n  additional  constants  (extend  C  and  the 
unique  name  axioms  if  necessary).  Let  Ec  be  the  set  of  all  substitutions  of 
constants  in  C  for  all  the  Skolem  constants  of  Ui  and  U2-  Then  U\  and  U2  are 
equivalent  iff 

(1)  4>  is  tmsatisfiable;  or 

(2)  For  all  substitutions  <7CGSC,  {Ui)0c  is  equivalent  to  {U2)Cc-  0 
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The  suggested  set  of  substitutions  £c  in  Theorem  8-7  is  of  size  exponential 
in  the  number  of  constants  and  Skolem  constants  in  the  update;  the  size  of  this 
set  can  in  general  be  reduced.  For  example,  if  there  are  no  equality  atoms  in  U\ 
and  U2  that  contain  Skolem  constants,  only  one  substitution  need  be  included  in 
£c.  If  there  is  just  one  equality  atom,  containing  a  single  Skolem  constant,  only 
two  substitutions  need  be  considered:  one  where  the  equality  atom  is  true,  and 
another  where  it  is  false. 

Theorem  8-7  and  principle  P5  can  be  generalized  by  permitting  special 
treatment  in  the  semantics  for  any  finite  set  of  constants.  For  example,  an  ana¬ 
logue  of  Theorem  8-7  will  be  true  if  all  datoms  over  constants  occurring  in  the 
body  or  strict  axioms  of  T  are  treated  specially  by  the  semantics.  All  such 
constants  must  be  included  in  C. 

The  proof  of  Theorem  8-7  uses  a  special  property  of  constant  swaps: 

Proposition  8-4.  Let  T\  and  7^  be  two  theories,  and  let  a  be  a  constant 
swap.  Then  Worlds (Tj )  =  Worlds(72)  iff  Worlds((7i)*)  =  Worlds((72)*).  0 

Proof  of  Proposition  8-4.  Let  Adi  be  a  model  of  7i,  and  Ad 2  a  model 
of  72.  Let  M\  be  a  model  created  from  Adi  as  follows:  Let  the  constant  and 
Skolem  constant  mappings  of  Adj  be  the  same  as  those  of  Adi,  except  that  if 
appears  in  <7,  then  in  M[  c'  is  mapped  to  the  universe  element  that  c  was 
mapped  to  in  Adi.  Let  every  atom  g  in  M.\  have  the  truth  valuation  of  (<7)*  in 
Adi.  The  unique  name  axioms  are  satisfied  by  (Adi)*,  because  a  is  invertible. 
Then  (Adi)*  is  a  model  of  (T)*,  because  the  truth  valuation  of  every  atom  g  in 
Adi  is  the  same  as  that  of  (<7)*  in  M\. 

Construct  AdJ>  similarly.  Then  Adi  and  Ad 2  have  the  same  universe  and 
constant  and  Skolem  constant  mappings  iff  M.\  and  Ad 2  do.  Further,  an  atom  g 
is  true  in  Adi  and  Ad2  iff  (<7)*  is  true  in  both  M\  and  Ad^.  We  conclude  that 
Worlds(Adi)  =  Worlds  (Ad  2)  iff  World(Adi)  =  World(Ad2).  0 

Proof  of  Theorem  8-7.  Necessity  is  immediate  for  any  semantics  satis¬ 
fying  principle  P4. 

For  sufficiency,  suppose  that  Ad  is  a  model  of  an  extended  relational  theory 
T  without  Skolem  constants,  such  that  U\  and  U2  are  not  equivalent  with  respect 
to  Ad.  Let  <7  be  the  Skolem  constant  substitution  for  Ad  with  respect  to  Ui  and 
U2.  Then  a  is  not  in  £c,  and  must  include  some  constant  c  that  is  not  in  C  and 
therefore  does  not  occur  in  XJ\  or  There  are  at  most  n  of  these  constants.  Let 
a'  be  the  constant  swap  that  replaces  all  such  constants  c  by  constants  c'  that 
occur  in  C  but  not  in  (Ui)a  or  By  definition  of  £e,  this  must  be  possible. 

Then  for  some  substitution  ( ( f-^i  )<r )<r;  ( ,  and  {{Ut )*V  =  {U2),c, 

so  ((t^i)*)*'  and  ((^2)*)*'  are  equivalent  by  assumption. 

Because  Worlds((l7i )*(Ad))  #  Worlds ((C^2)*(Ad)),  it  follows  from  The¬ 
orem  8-1  that  Worlds((l7i)*((T)*))  ^  Worlds^VUT')*).  By  principle  P5 
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and  Proposition  8-4,  Worlds(((C7i)<T)<r.(((T)ff )»-))  ^  Worlds(((C/2)<r  V(((T2 ),)*»). 
But  ((Ui )» )ff(  and  ((C/2  are  equivalent  by  assumption.  We  conclude  that  this 
condition  is  sufficient  for  equivalence.  0 

8.3.  The  Standard  Semantics  and  Update  Equivalence 

Under  the  standard  semantics,  what  conditions  govern  equivalence  when  two 
updates  have  different  selection  clauses  <j>l  Theorem  8-5  says  that  if  ZJ\  and  U2  are 
two  equivalent  null-free  updates  with  selection  clauses  <f>\  and  fa,  respectively, 
then  U\  must  not  make  any  changes  in  any  model  where  fa  is  false,  and  vice 
versa.  This  characterization  is  almost  sufficient;  it  only  lacks  exact  conditions 
under  which  a  standard-semantics  update  will  not  change  an  alternative  world. 

Theorem  8-8.  Let  U\  and  U2  be  two  null-free  updates  under  the  standard 
semantics: 

U\\  INSERT  u>i  WHERE  fa, 

U2:  INSERT  w2  WHERE  fa. 

Then  U\  and  U2  are  equivalent  iff 

(1)  INSERT  o)i  WHERE  4>iAfa  is  equivalent  to  INSERT  u>2  WHERE  fa  A  fa; 

(2)  fa  A-' fa  logically  entails  u>i  and  faA->fa  logically  entails  o)2;  and 

(3)  If  4>\  A  -> fa  is  satisfiable,  then  o>i  is  uniquely  satisfiable*;  and  if  fa  A  ->fa 

is  satisfiable,  then  u>2  is  imiquely  satisfiable.  0 

Proof  of  Theorem  8-8.  By  Theorem  8-5,  condition  (1)  is  necessaxy.  To 
see  that  condition  (3)  is  necessaxy,  suppose  that,  say,  <t>iA~>fa  is  satisfiable  with 
truth  valuation  u  for  the  datoms  of  fa  and  fa.  Let  T  be  an  extended  relational 
theory  with  body  u.  Let  At  be  a  model  of  T;  then  U2(M)  =  {M}.  For  U\ 
to  be  equivalent  to  U2,  then,  Ui  cannot  change  the  alternative  world  of  M,  by 
Theorem  8-1.  Since  the  number  of  alternative  worlds  U\  produces  from  M  will 
be  equal  to  the  number  of  valuations  for  u>i  that  satisfy  u>i ,  if  U\  is  equivalent  to 
U2  there  must  be  only  one  valuation,  u,  that  satisfies  o)i ;  therefore  condition  (3) 
is  necessary.  To  show  that  condition  (2)  is  necessary,  since  Worlds(Ui(Af ))  must 
be  {M},  v  must  agree  with  u  on  all  datoms  in  v.  Since  u  may  be  any  valuation 
satisfying  fa  A  -<fa,  v  must  be  a  subset  of  every  valuation  satisfying  fa  A  -'fa; 
in  other  words,  faA-'fa  logically  entails  v;  since  v  is  logically  equivalent  to  u?i, 
<PiA—'4>2  logically  entails  u>i,  implying  that  condition  (2)  is  also  necessary.  The 
proof  is  symmetric  if  faA->fa  is  satisfiable. 

We  now  turn  to  the  reverse  implication,  namely,  that  if  conditions  1) 
through  (3)  are  met,  then  U\  and  U2  are  equivalent.  By  Theorem  8-5,  it  suffices 
to  show  that  conditions  (2)  and  (3)  imply  that  Ui  will  not  change  the  alternative 
world  of  a  model  where  fa  A  -'fa  is  true.  But  this  follows  immediately  from 

t  A  wff  a  is  uniquely  satisfiable  if  there  exists  exactly  one  truth  valuation  v  for  all  the 
atoms  of  a  such  that  a  is  true  under  v. 
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conditions  (2)  and  (3).  A  similar  line  of  reasoning  holds  if  ^2A->$i  is  true  in  a 
model.  We  conclude  that  U\  and  U2  are  equivalent  when  applied  to  T.  0 

We  now  turn  to  the  question  of  equivalence  for  pairs  of  updates  having  the 
same  selection  clause  <f>.  We  begin  with  a  simple  sufficient  criterion  for  equivalence 
under  the  standard  semantics: 

Theorem  8-9.  Let  Ui  and  U2  be  two  null-free  updates  under  the  standard 
semantics: 

U\:  INSERT  uj\  WHERE  <j>, 

U2:  INSERT  w2  WHERE  <j>. 

If  cjj  and  u)2  are  logically  equivalent  and  the  same  datoms  occur  in  u>i  and  u >2, 
then  U\  is  equivalent  to  U2-  0 

Proof  of  Theorem  8-9.  Assume  that  u>\ ,  and  therefore  u>2,  is  satisfiable, 
as  otherwise  the  theorem  follows  immediately.  For  any  extended  relational  theory 
T  without  strict  axioms,  consider  the  effects  of  U\  and  U2  on  a  model  M  of  T. 
U\  must  produce  a  model  M!  from  M,  since  u>i  is  satisfiable.  We  wish  to  show 
that  World(At')  €  Worlds(I72(.M)).  If  ^  is  false  in  M,  this  follows  immediately. 
Otherwise  u>2  must  be  true  in  M',  because  u>i  and  u;2  are  logically  equivalent; 
and  therefore  rule  2  in  the  standard-semantics  definition  of  INSERT  is  satisfied 
for  U2  by  M'.  Rule  1  in  the  definition  of  INSERT  is  also  satisfied  for  U2  by  M', 
since  U\  and  U2  contain  the  same  datoms.  0 

To  see  that  the  criteria  of  Theorem  8-9  are  sufficient  but  not  necessary, 
consider  the  two  equivalent  updates  INSERT  /  WHERE  fAg  and  INSERT  g  WHERE 
fAg.  These  two  updates  fail  the  test  of  Theorem  8-9  because  w  1  and  u>2  contain 
datoms  whose  truth  valuation  is  logically  entailed  by  both  <f>  and  u>.  To  produce 
necessary  and  sufficient  criteria,  it  will  be  advantageous  to  remove  all  such  datoms 
from  u  by  reducing  u>: 

Definition.  Let  U  be  the  update  INSERT  u>  WHERE  <f>  under  the  standard 
semantics.  The  reduction  of  u>  with  respect  to  <j>,  written  red(w,  <f>),  is  formed 
from  u >  by  making  the  following  substitutions  for  every  datom  g  in  u>: 

1.  If  <f>  and  u  both  logically  entail  g,  replace  <7  by  T  in  ui. 

2.  If  <t>  and  u>  both  logically  entail  ->g,  replace  g  by  F  in  u.  0 

This  definition  may  seem  a  bit  odd  for  the  case  where  <f>  is  unsatisfiable, 
but  such  updates  aren’t  very  interesting  anyway: 

Proposition  8-5.  Under  the  standard  semantics,  any  update  U :  INSERT 
u  WHERE  <f>  is  equivalent  to  INSERT  red(u>,  <f>)  WHERE  4>.  0 
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Proof  of  Proposition  8-5.  Proof  by  induction:  consider  a  single  step  in 
the  reduction  process.  If  g  is  a  datom  of  u>  that  is  eliminated  in  this  step,  then 
the  insertion  of  ui  into  a  model  where  4>  is  true  cannot  change  the  truth  valuation 
of  g.  When  g  is  replaced  by  T  or  F,  creating  u' ,  every  set  of  truth  valuations 
that  satisfied  w  maps  into  one  set  that  satisfies  w',  such  that  the  two  sets  agree 
on  every  datom  in  common.  Therefore  inserting  u'  into  a  model  where  <f>  is  true 
will  have  the  same  effect  as  inserting  w  into  that  model.  0 

Once  the  updates  being  tested  for  equivalence  have  been  reduced,  little 
work  remains: 

Theorem  8-10.  Let  U\  and  U2  be  null-free  updates  under  the  standard 
semantics: 

Ui:  INSERT  WHERE  <f>, 

U2\  INSERT  lj2  WHERE  <f>. 

U\  and  U2  are  equivalent  iff  (1)  <f>  is  unsatisfiable  or  (2)  red(u>i ,  <f>)  and  red(u;2, 
4>)  contain  the  same  datoms  and  are  logically  equivalent.  0 

Examples.  If  Ui  is  INSERT  g  WHERE  T  and  U2  is  INSERT  grVT  WHERE  T, 
then  these  two  updates  are  reduced.  Since  g  is  not  logically  equivalent  to  ^VT, 
the  two  updates  must  not  be  equivalent;  they  differ  on  producing  models  where 
g  is  false.  For  updates  INSERT  g  WHERE  g  A /  and  INSERT  /  WHERE  g  A/,  in  both 
cases  u  is  replaced  by  T  during  reduction,  and  the  two  updates  become  identical. 
Theorem  8-10  will  proclaim  these  two  updates  equivalent. 

Proof  of  Theorem  8*10.  By  Proposition  8-5,  it  suffices  to  prove  this 
theorem  for  the  case  where  u>i  and  u2  are  already  reduced  with  respect  to  <f>. 
Assume  that  4>  is  satisfiable,  as  otherwise  the  theorem  follows  immediately. 

We  first  show  that  u>i  and  ui2  must  contain  the  same  datoms.  Suppose 
that  g  is  a  datom  that  is  a  subformula  of,  say,  uj\  but  not  of  u>2.  Let  Ad  be  a 
model  of  an  extended  relational  theory  T  such  that  u>\  is  true  in  Ad.  Let  Ad' 
be  created  from  Ad  by  negating  the  truth  valuation  in  Ad  of  g,  and  negating  as 
few  additional  truth  valuations  as  possible  in  order  to  make  <f>  true  in  Ad'.  By 
the  definition  of  reduction,  the  truth  valuation  of  5  in  Ad'  need  not  be  negated 
again  in  order  to  satisfy  4>.  Then  World( Ad)  €  Worlds(U1(Ad')),  but  World(Ad) 
£  Worlds(C/2(Ad')).  We  conclude  that  U\  and  U2  cannot  be  equivalent  unless 
they  contain  the  same  datoms. 

We  now  show  that  if  and  u2  are  not  logically  equivalent,  then  U\  and 
U2  are  not  equivalent.  Select  a  truth  valuation  v  for  all  the  atoms  of  and 
ui2  such  that,  say,  v  satisfies  u>\  but  not  u>2.  Let  u  be  a  truth  valuation  for  all 
the  datoms  of  <f>  such  that  <f>  is  satisfied  under  u.  Create  an  extended  relational 
theory  T  without  strict  axioms,  with  body  u,  and  let  Ad  be  a  model  of  T.  Let 
Ad'  be  a  model  that  agrees  with  v  on  all  valuations  of  v,  and  with  Ad  on  all  other 
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information.  Since  u>i  is  satisfied  in  M'  by  construction,  and  W  agrees  with 
M  on  all  datoms  not  in  u i,  it  follows  that  World(wM')  €  Worlds(C/j(A^)).  M! 
cannot  be  a  model  of  an  alternative  world  of  1^2  (Af),  because  u>2  is  false  in  M! . 
From  Theorem  8-1,  it  follows  that  and  u>2  must  be  logically  equivalent  if  U\ 
and  U2  are  equivalent. 

We  now  turn  to  the  reverse  implication,  namely,  that  if  u>i  and  u>2  are 
logically  equivalent  and  contain  the  same  datoms,  then  U\  and  U2  are  equivalent. 
Assume  that  u>i ,  and  therefore  to 2 ,  is  satisfiable,  as  otherwise  the  theorem  follows 
immediately. 

For  any  extended  relational  theory  T  without  strict  axioms,  consider  the 
effects  of  U\  and  U2  on  a  model  M  of  T  where  <f>  is  true.  Since  u>i  is  satisfiable, 
U\(M)  is  nonempty.  Suppose  M1  is  in  U\(M).  Since  u)\  and  u>2  are  logically 
equivalent,  u>2  will  be  true  in  M1,  so  rule  2  in  the  definition  of  IHSERT  is  satisfied 
by  U2.  Since  u\  and  u>2  contain  the  same  datoms,  rule  1  is  also  satisfied  by  M' . 
We  conclude  that  U\  and  U2  are  equivalent.  0 

8.4.  The  Minimal— Change  Semantics  and  Update  Equivalence 

We  begin  with  simple  sufficient  conditions  for  update  equivalence  under  the 
minimal-change  semantics: 

Theorem  8-11.  Let  Ui  and  U2  be  two  null-free  updates  under  the 
minimal-change  semantics: 

Uii  INSERT  wa  WHERE 
U2:  INSERT  u2  WHERE  fa, 

Then  U\  and  U2  axe  equivalent  if 

(1)  U  faA  fa  is  satisfiable,  then  u>i  and  u>2  are  logically  equivalent;  and 

(2)  <f>\A-«j>2  logically  entails  and  fa  A-i^i  logically  entails  u> 2.  <0> 

Proof  of  Theorem  8-11.  First  note  that  condition  (1)  implies  that 
INSERT  WHERE  faAfa  is  equivalent  to  INSERT  u>2  WHERE  faAfa.  Therefore  by 
Theorem  8-5,  it  suffices  to  show  that  condition  (2)  implies  that  if  faA->fa  is  true 
in  a  model  M.,  then  U(M)  =  {Af}.  But  this  follows  immediately  from  the  fact 
that  u>i  is  already  true  in  M.  A  similar  line  of  reasoning  holds  if  faA->fa  is  true 
in  M.  We  conclude  that  conditions  (1)  and  (2)  are  sufficient  for  equivalence. 
0 


The  conditions  in  Theorem  8-11  axe  in  fact  both  necessary  and  sufficient 
if  no  datom  appears  in  both  u>i  and  fa  or  in  both  u>2  and  fa.  In  the  general  case, 
however,  u)i  and  0)2  must  be  reduced  before  testing  is  done  for  logical  equivalence. 
For  example,  although  R(a)  and  R(b)  are  not  logically  equivalent,  U\:  INSERT 
R{o)  WHERE  R(a)  A  R(b)  is  equivalent  to  U2:  INSERT  R(b)  WHERE  R(a)  A  R(b), 
due  to  interactions  between  the  atoms  of  <f>  and  u>.  The  following  definitions 
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show  how  to  reduce  uj  for  the  minimal-change  semantics;  the  procedure  is  more 
complex  than  for  the  standard  semantics. 

Definition.  Let  U  be  the  update  INSERT  uj  WHERE  <f> ,  under  the  minimal- 
change  semantics.  Then  the  reduction  of  uj  with  respect  to  <f>,  written  red(w,  <f>), 
is  the  wff  formed  from  uj  as  follows: 

1.  Put  u  into  disjunctive  normal  form*. 

2.  If  <f>  logically  entails  a  literal  /,  and  l  appears  as  a  conjunct  of  uj,  then 

replace  that  conjunct  of  w  by  T.  <0> 

Examples.  The  reduction  of  R(a )  A  (R(b)  V  ->R(c))  with  respect  to  -iiZ(a) 
A  R(b)  is  the  wff  ( R(a )  A  T)  V  ( R(a )  A  ->R(c)).  For  u  any  wff,  red(w,  T)  is  uj  in 
disjunctive  normal  form. 

Unfortunately,  even  this  stronger  version  of  reduction  does  not  lead  to  as 
elegant  a  theorem  of  equivalence  sis  was  possible  under  the  standard  semantics. 
A  counterexample  wifi  illustrate  why  Theorem  8-10  fails  to  hold  for  the  minimal- 
change  semantics. 

Example.  Let  /  and  g  be  datoms.  Then  the  reduced  update  U\:  INSERT 
/Vg  WHERE  /V^  is  equivalent  to  U2:  INSERT  T  WHERE  /V</,  even  though  Theorem 
8-10  predicts  inequivalence,  if  co-opted  for  the  minimal-change  semantics.  The 
problem  persists  even  if  the  requirement  is  removed  in  Theorem  8-10  that  the 
same  datoms  appear  in  <*>1  and  <*>2 .  0 

Before  the  presentation  of  the  equivalence  theorem  for  the  general  case, 
one  more  bit  of  terminology: 

Definitions.  A  wff  uj  is  basic  if  u>  is  ground  and  does  not  contain  Skolem 
constants  or  the  equality  predicate.  An  update  U:  INSERT  uj  WHERE  <f>  is  basic  iff 
uj  and  4>  are  basic. 

Theorem  8-12.  Let  U\  and  U2  be  basic  updates  under  the  minimal- 
change  semantics: 

Un  INSERT  uj\  WHERE  4>u 
U2:  INSERT  u2  WHERE  </>2. 

Let  4>  be  the  wff  red(^i  A  <f> 2,  T).  Then  U\  and  U2  are  equivalent  iff 

(1)  For  every  satisfiable  disjunct  D  of  <f>,  red(o;i,  D)  is  logically  equivalent  to 

red(u>2,  D). 

(2)  <f>i/\~«f>2  logically  entails  uj\  and  <t>2h-«f>i  logically  entails  uj2.  0 

t  For  our  purposes  here,  a  literal  is  an  atom,  a  negated  atom,  or  a  truth  value;  and  w 
is  in  disjunctive  normal  form  if  o>  is  a  disjunction  of  conjunctions  of  literals,  and  no  disjunct 
contains  both  a  literal  and  the  negation  of  that  literal  as  conjuncts. 
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The  proof  of  Theorem  8-12  uses  three  auxiliary  results:  two  lemmas  and 
a  theorem.  Lemmas  8-1  and  8-2  give  useful  logical  properties  of  reduced  wffs. 
Theorem  8-13  is  interesting  in  its  own  right;  it  shows  that  the  reduction  process 
may  be  used  to  find  the  minimal  sets  of  atom  truth  valuation  changes  in  a  model 
that  will  make  a  particular  wff  true  in  that  model. 

Lemma  8-1.  Two  basic  wffs  u>j  and  a;2  are  logically  equivalent  iff  for  all 
basic  satisfiable  conjunctions  of  literals  <f>,  red(u>i ,  <f>)  and  red(u>2 ,  <t>)  are  logically 
equivalent.  0 

Proof  of  Lemma  8-1.  To  show  that  this  condition  is  sufficient,  recall 
that  red(u>,  T)  is  logically  equivalent  to  u>,  for  all  basic  wffs  u>.  Therefore  if 
red(u>i,  T)  is  logically  equivalent  to  red(u>2,  T),  then  wj  and  u;2  must  be  logically 
equivalent. 

To  show  that  this  condition  is  necessary,  let  /  be  a  basic  satisfiable  literal. 
Assume  that  u>i  and  w2  are  logically  equivalent,  but  red(u?i,  l)  and  red(u>2,  /)  are 
not.  Let  v  be  a  truth  valuation  for  all  the  atoms  of  and  w2  except  the  atom 
of  /,  such  that  v  A  -</satisfies  red(u>i,  /)  A->red(u>2,  /),  say.  (We  choose  v  A  ->l 
rather  than  v  A  /  because  v  A  l  must  either  satisfy  both  red(u>i ,  l)  and  red(o>2, 
/)  or  else  fail  to  satisfy  either,  as  otherwise  u>i  A  -W2  would  be  satisfied  by  v  A 
/,  an  impossibility  since  ui  and  ui2  are  logically  equivalent.)  Suppose  first  that 
red(u>2 ,  /)  is  true  under  v  A  1.  Then  there  exists  a  disjunct  d  of  u>2  containing  / 
such  that  d  is  true  under  v  A  l.  But  red(d,  /)  must  also  be  true  under  v  A  ~>l, 
which  implies  that  red(u>2,  /)  is  true  under  v  A  — »/,  a  contradiction. 

Now  suppose  that  red(u>i,  /)  and  red(u>2*  /)  are  both  false  under  v  A  l. 
Then  u>\  and  a>2  are  also  false  under  v  A  /.  By  definition,  red(w2, 1)  is  false  imder 
v  A  -1  /.  It  follows  that  u>2  is  false  under  v  A  — because  if  all  disjuncts  d  of  u>2 
are  such  that  red(d,  l)  is  false  under  v  A  ->/,  then  d  must  also  be  false  imder  v 
A  ->l.  As  ui  and  o?2  are  logically  equivalent,  u>i  must  also  be  false  under  v  A  ->l. 
As  red(u»i ,  /)  is  true  under  v  A  ->l  by  definition,  there  must  be  some  disjunct  d 
of  red(wi,  T),  such  that  d  is  false  under  v  A  l  and  red(d,  /)  is  true  under  v  A 
-1  /.  Then  d  must  contain  both  /  and  ->/,  which  is  forbidden  by  the  definition  of 
disjunctive  normal  form.  Therefore  red(u>i,  /)  and  red(u>2,  l)  must  be  logically 
equivalent. 

As  red(u>i,  /1  A  •••  A  /„)  =  red(  •••  red(u>i,  h),  •••  ,  /n)>  for  U  a  basic 
literal,  1  <  i  <  n,  we  conclude  that  if  u>i  and  <jj2  are  logically  equivalent,  then 
red(u>i,  4>)  and  red(w2 ,  <t>)  are  logically  equivalent.  0 

Given  that  two  wffs  u>i  and  u2  are  not  logically  equivalent,  Lemma  8-2 
shows  how  to  reduce  and  u)2  and  still  preserve  that  logical  inequivalence. 

Lemma  8-2.  Let  and  u>2  be  beisic  wffs,  and  let  D  be  a  satisfiable  basic 
conjunction  of  literals  T  A  /1  A  •••  A  for  n  >  0.  If  red(u>i,  D)  and  red(u>2, 
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D)  axe  not  logically  equivalent,  then  there  exists  a  truth  valuation  v  for  all  the 
atoms  of  D,  u>i,  and  w2  such  that  D  is  true  under  v  and  red(u>i,  v)  and  red(u>2, 
v)  are  not  logically  equivalent.  0 

Proof  of  Lemma  8-2.  Suppose  red(u>i,  D )  A  -red(u;2,  D )  is  satisfiable 
under  truth  valuation  v' .  Let  v  be  formed  by  concatenating  D  and  the  truth 
valuations  of  v'  that  are  consistent  with  D.  Then  red(aji ,  v)  is  satisfied  under 
truth  valuation  v but  red(u;2,  v)  cannot  be  satisfied  by  u'.  C* 

In  order  to  characterize  the  minimal  sets  of  atom  truth  valuation  changes 
in  a  model  Ad  that  will  make  a  particular  wff  true  in  Ad,  we  need  a  slightly 
stronger  notion  of  reducibility: 

Definition.  For  u>  a  basic  wff  and  <f>  a  basic  conjunction  of  literals,  the 
full  reduction  of  u  with  respect  to  <f>,  written  £red(u;,  <f>),  is  obtained  as  follows: 

1.  Set  fred(u>,  <f>)  to  be  red(w,  <f>). 

2.  If  one  satisfiable  disjunct  d  of  fred(u>,  <j>)  logically  entails  another,  then 

remove  d  from  fred(u>,  <f>).  Repeat  imtil  no  such  disjunct  remains.  0 

Example.  An  earlier  example  showed  that  red(i2(a)  A  (R(b)  V  ->R(c)), 
->R(o)  A  R(b))  =  (J2(a)  A  T)  V  ( R(a )  A  -'fZ(c));  for  a  full  reduction,  fred(fl(a) 
A  (R(b)  V  -iiZ(c)),  - R(a )  A  R(b))  =  ( R(a )  A  T).  <> 

Theorem  8-13.  Let  u  be  a  basic  wff,  and  let  v  be  any  truth  valuation 
for  the  atoms  of  u.  Let  Ad  be  a  model  that  satisfies  v,  and  let  Ad'  be  a  model 
that  agrees  with  Ad  except  on  the  truth  valuations  of  a  set  5  of  datoms.  Then 
for  any  satisfiable  disjunct  d  of  fred(u>,  v): 

1.  u  is  true  in  Ad'  if  5  contains  exactly  the  datoms  of  d. 

2.  u;  is  false  in  Ad'  if  S  is  a  proper  subset  of  the  datoms  of  d.  0 

In  other  words,  the  disjuncts  of  a  fully  reduced  u?  represent  the  minimal 
changes  needed  to  make  u>  true  in  a  particular  class  of  models.  This  suggests  the 
following  property,  whose  proof  we  omit: 

Proposition  8-6.  The  basic  update  INSERT  u  WHERE  <j>  is  equivalent  to 
INSERT  red(w,  <f>)  WHERE  4>  and  INSERT  fred(u;,  <f>)  WHERE  <f>  under  the  minimal- 
change  semantics.  0 

Proof  of  Theorem  8-13.  Assume  without  loss  of  generality  that  w  is 
in  disjunctive  normal  form.  ^Ve  first  show  that  if  S  contains  exactly  the  datoms 
of  d,  then  u>  is  true  in  Ad'.  Let  d'  be  a  disjunct  of  ui  that  is  transformed  into 
d  during  the  full  reduction  of  u  with  respect  to  v,  by  replacing  literals  of  d'  by 
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T.  Then  d!  contains  all  the  literals  of  d  as  conjuncts,  and  other  literals  l  as  well 
(though  not  both  any  literal  and  its  negation).  But  if  l  is  removed  from  d!  during 
the  reduction  process,  then  /  is  a  conjunct  of  v,  and  therefore  l  is  already  true  in 
M.  Therefore  d!  is  also  true  in  M',  and  w  is  true  in  M'. 

To  prove  condition  2,  let  ui'  be  fred(u;,  v).  We  first  show  that  u>  logically 
entails  u>\  If  u>  is  satisfied  under  truth  valuation  v' ,  then  some  disjunct  D  of  u 
must  be  true  under  v' .  Every  conjunct  of  D  must  be  true  under  v' ,  and  therefore 
red( D,  <j>)  must  be  true  under  v'  for  any  basic  truth  valuation  <f>.  It  follows  that 
red(w,  <j>)  is  true  under  v1.  As  red(u;,  u)  and  u'  are  logically  equivalent,  u'  must 
also  be  true  under  v'. 

Suppose  that  5  contains  a  proper  subset  of  the  datoms  of  a  satisfiable 
disjunct  d  of  u'.  By  the  definition  of  M,  every  conjunct  of  u>'  is  false  in  M,  so 
5  must  contain  all  the  datoms  of  some  satisfiable  disjunct  d!  of  u>'  if  u>'  is  true 
in  M'.  But  then  d  logically  entails  d',  so  d  should  have  been  removed  from  u' 
during  the  full  reduction  process.  We  conclude  that  u/,  and  hence  u,  is  false  in 

M'.  0 

Proof  of  Theorem  8-12.  To  show  that  condition  2  is  necessary  for 
equivalence,  if  M  is  a  model  where  <f>iA~<<f>2  is  true  and  0J\  is  false,  then  Ui 
applied  to  M  will  change  or  eliminate  the  alternative  world  of  M,  whereas  U? 
cannot  affect  that  world. 

To  show  that  condition  1  is  also  necessary  for  equivalence,  suppose  there 
is  some  satisfiable  disjunct  D  of  <f>  such  that  red(u’j ,  D)  and  red(u?2,  D )  are  not 
logically  equivalent.  Then  by  Lemma  8-2,  there  is  a  satisfiable  extension  D'  of 
D  that  includes  every  atom  of  u>i  and  u>2,  such  that  red(uq,  D ')  and  red(u>2,  D') 
eire  not  logically  equivalent.  Let  be  fred(wi ,  D'),  let  u'2  be  fred(u>2,  D'),  and 
let  M  be  a  model  where  D'  is  satisfied.  Choose  any  one  disjunct  d  of  ll>[  or 
u)'2,  say  of  wj,  that  does  not  subsume  any  disjunct  of  u>'2\  such  a  disjunct  must 
occur  in  or  ui2.  Let  M'  be  a  model  that  only  disagrees  with  M  on  the  truth 
valuations  of  atoms  in  d.  By  Theorem  8-13,  M'  €  Ui(AA),  but  M.'  £ 

But  then  Worlds(LTi ( Af ))  ^  Worlds(C^2(Ai)),  and  by  Theorem  8-1  U i  and  U2  are 
not  equivalent. 

We  now  show  that  conditions  1  and  2  are  sufficient  to  guarantee  that  Ui 
and  U2  are  equivalent.  By  condition  2,  U\  and  U2  are  equivalent  when  applied 
to  all  models  where  -><f>  is  true,  as  U\  and  U2  have  no  effect  on  such  models.  To 
show  that  condition  1  is  sufficient  for  models  where  <j>  is  true,  suppose  that  for  all 
satisfiable  disjuncts  D  of  <f>,  red(a>i,  D)  is  logically  equivalent  to  red(cj2 ,  D).  Then 
by  Lemma  8-1,  for  every  extension  of  D  to  a  satisfiable  conjunction  D'  of  literals 
that  includes  all  the  atoms  of  u>i  and  uj2,  red(u;i,  D')  is  logically  equivalent  to 
red(u>2,  D').  For  an  arbitrary  choice  of  D' ,  let  be  fred(u>i,  D1),  and  let  u>2  be 
fred(u;2,  D').  Then  as  u>[  and  red(u?i,  D')  are  logically  equivalent,  and  similarly 
for  u>2,  it  follows  that  u>2  and  are  logically  equivalent.  In  addition,  by  the 
definition  of  full  reduction,  and  u2  must  contain  the  same  disjuncts,  up  to 
reordering  of  literals  within  disjuncts. 
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By  Theorem  8-13,  the  minimal  sets  of  atom  truth  valuation  changes  that 
would  make  true  in  a  model  M.  satisfying  D'  are  given  by  the  disjuncts  of  a >[. 
Whenever  one  of  these  sets  of  changes  is  made  in  M ,  creating  M',  exactly  one  dis¬ 
junct  of  is  also  satisfied  in  AT.  Therefore  Worlds(C/i(Af ))  Q  Worlds(t/2(AQ). 
By  a  symmetric  argument,  Worlds(t/i(Af))  =  Worlds(f/2(Af )).  As  this  construc¬ 
tion  holds  for  any  model  that  satisfies  <f>,  Ui  and  U2  axe  equivalent.  0 

8.5.  The  Truth-Maintenance  Semantics  and  Update  Equivalence 

This  section  discusses  update  equivalence  under  the  truth-maintenance  seman¬ 
tics.  As  usual,  we  begin  by  showing  how  to  reduce  the  case  of  updates  with 
different  selection  clauses  <p  to  the  case  of  updates  with  a  common  selection 
clause. 


Theorem  8-14.  Let  U\  through  U4  be  null-free  updates  under  the  truth- 
maintenance  semantics: 

l*i :  INSERT  u>i  WHERE  <t>u 
1*2 :  INSERT  u2  WHERE  <f>2, 

U3:  INSERT  u>j  WHERE  4>iA<j>2, 

U4:  INSERT  u>2  WHERE  fa  A <f>2. 

Then  U\  and  U2  Eire  equivalent  iff 

(1)  U3  and  U4  Eire  equivalent;  Eind 

(2)  If  4>\A-^fa  is  satisfiable,  then 

•  There  must  be  exactly  one  truth  valuation  v  for  all  the  datoms  of  u>i  such 
that: 

o  u>i  is  true  under  v;  and 

o  Each  datom  that  appears  positively  or  negatively  in  is  true  or  false, 
respectively,  under  v. 

•  Further,  <j> iA-<<j>2  must  logicsdly  entail  v. 

(3)  The  analogous  condition  holds  if  <t>2A-i<j>\  is  satisfiable.  0 

Proof  of  Theorem  8-14.  The  necessity  of  condition  (1)  follows  from 
Theorem  8-5.  For  condition  (2),  suppose  that,  say,  <t>iA~>4>2  is  satisfiable  with 
valuation  u.  Let  T  be  an  extended  relational  theory  without  strict  axioms,  with 
body  u.  Let  M.  be  a  model  of  T;  then  U2(M.)  =  {Af }.  By  Theorem  8-1,  then, 
for  U\  to  be  equivalent  to  U2,  it  must  be  the  case  that  U\(M)  =  {Af  }. 

If  ui  is  unsatisfiable,  then  Ui(M)  is  the  empty  set.  We  conclude  that 
there  is  a  truth  valuation  v  for  all  the  datoms  of  such  that  is  satisfied 
under  v.  By  Proposition  7-1,  there  exists  such  a  valuation  v  where  in  addition  all 
datoms  that  appear  positively  in  u>\  have  the  truth  valuation  T,  and  all  datoms 
that  appear  negatively  in  u>i  have  the  truth  valuation  F.  Therefore  when  U i  is 
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applied  to  any  model  where  <j>\  is  true,  an  alternative  world  is  produced  where 
v  is  true.  Therefore  if  4>iA~>4>2  is  true  in  M,  for  U\  and  U2  to  be  equivalent,  v 
must  be  true  in  M,  and  there  must  be  only  one  such  valuation  v.  The  proof  of 
necessity  of  condition  (3)  is  symmetric. 

We  now  turn  to  the  reverse  implication,  namely,  that  if  conditions  (1) 
through  (3)  axe  met,  then  U\  and  U2  are  equivalent.  Let  T  be  an  extended 
relational  theory  without  strict  axioms,  and  let  M  be  a  model  of  T.  If  ->4>iA->4>2 
is  true  in  M,  then  Worlds(£/i(A4))  =  Worlds(C/2(-M)).  If  4>iA<f>2  is  true  in  M, 
then  since  U3  and  U4  axe  equivalent,  again  U\  and  U2  must  be  equivalent  with 
respect  to  M.  If  <f>iA^4>2  is  true  in  M,  then  Worlds(tT2(Af ))  =  {M}.  any  model 
produced  by  U2  represents  the  same  alternative  world  as  M  does.  By  condition 

(2),  the  same  is  true  of  U 1  ( A4 ) .  We  conclude  that  U\  and  U2  are  equivalent  when 
applied  to  T.  0 

We  now  present  simple  sufficient  criteria  for  update  equivalence: 

Theorem  8-15.  Let  JJ\  and  U2  be  two  null-free  updates  under  the  truth- 
maintenance  semantics: 

U\:  INSERT  u>\  WHERE  <f>, 

U2:  INSERT  u )2  WHERE  <j>. 

If 

(1)  u>i  and  u>2  are  logically  equivalent; 

(2)  The  same  datoms  appear  in  lj{  and  u>2> 

(3)  The  same  datoms  appear  positively  in  and  u>2;  and 

(4)  The  same  datoms  appear  negatively  in  and  u>2, 

then  U\  and  U2  are  equivalent. 

Proof  of  Theorem  8-15.  Assume  that  u>j,  and  therefore^,  is  satisfiable, 
as  otherwise  the  theorem  follows  immediately.  For  any  extended  relational  theory 
T  without  strict  axioms,  consider  the  effects  of  U\  and  U2  on  a  model  M  of  T. 
Ui  must  produce  a  model  M!  from  M,  since  u>i  is  satisfiable.  We  wish  to  show 
that  M'  is  also  a  model  produced  by  U2  acting  on  M. 

First,  u>2  must  be  true  in  M1,  because  u>i  and  u>2  are  logically  equivalent; 
therefore  rule  2  in  the  definition  of  INSERT  is  satisfied  for  U2  by  M'.  By  condition 
(2),  rule  1  is  satisfied  for  U2  by  M'.  Conditions  (3)  and  (4)  guarantee  that  rules 
la  and  lb  are  satisfied.  0 


To  see  that  the  criteria  of  Theorem  8-12  are  sufficient  but  not  necessary, 
consider  the  two  equivalent  insertions  of  INSERT  g  WHERE  T  and  INSERT  gV(FA~<g) 
WHERE  T,  which  do  not  satisfy  condition  (3)  for  equivalence.  For  necessary  and 
sufficient  criteria  for  two  updates  to  be  equivalent,  as  with  the  standard  semantics 
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we  need  the  concept  of  a  reduced  update;  but  the  truth-maintenance  reduction 
process  will  include  additional  steps  beyond  that  for  the  standard  semantics. 

Definition.  Let  U  be  the  update  INSERT  u  WHERE  <f>  under  the  truth- 
maintenance  semantics.  To  reduce u  with  respect  to  4>,  written  red(w,  0),  first  put 
u)  into  disjunctive  normal  form*  and  then  make  the  following  atom  substitutions 
for  every  datom  g  in  u>: 

1.  If  <j>  and  u>  both  logically  entail  g,  replace  g  by  T  in  u>. 

2.  If  4>  and  lj  both  logically  entail  -*g,  replace  g  by  F  in  u>. 

3..  If  <j>  logically  entails  g  and  g  appears  positively  in  u>,  replace  g  by  T  in  u>. 

4.  If  <j>  logically  entails  ->g  and  g  appears  negatively  in  a;,  replace  g  by  F  in 

u>.  C* 

Proposition  8-7.  Under  the  truth-maintenance  semantics,  any  update 
U :  INSERT  u>  WHERE  <f>  is  equivalent  to  INSERT  red(u>,  <j>)  WHERE  4>-  0 

We  omit  the  proof  of  Proposition  8-5  here;  intuitively,  U  cannot  change 
the  truth  valuation  of  any  datom  g  that  is  removed  from  u>,  because  of  rules 
la  and  lb  in  the  definition  of  INSERT  under  the  truth-maintenance  semantics 
(Chapter  7). 

Unfortunately,  even  this  stronger  version  of  reduction  does  not  lead  to  as 
elegant  a  theorem  of  equivalence  as  was  possible  under  the  standard  semantics. 
A  counterexample  will  illustrate  why  Theorem  8-10  fails  to  hold  for  the  truth- 
maintenance  semantics. 

Example.  Let  /  and  g  be  datoms.  Then  U\ :  INSERT  gV-t/VT 
WHERE  (/A^)V(->/A-'flf)  is  not  equivalent  to  U2’  INSERT  /V^V-i/V-u?  WHERE 
(/A?)V(-'/A-ig),  even  though  Theorem  8-10  would  suggest  so,  if  co-opted  for 
the  truth-maintenance  semantics.  The  problem  arises  because  even  though 
and  u>2  are  logically  equivalent,  U\  will  never  produce  an  alternative  world  where 
/A-><7  is  true,  but  U2  will.  If  Theorem  8-10  is  strengthened  to  require  that  the 
same  datoms  appear  positively  and  negatively  in  u\  and  ,  then  inequivalence 
would  correctly  be  predicted  for  this  example;  but  in  general,  this  extra  con¬ 
dition  is  too  strong.  For  example,  consider  INSERT  </V T  WHERE  -><7  and  INSERT 
g\Z->g  WHERE  ~<g.  These  two  updates  are  already  reduced,  and  they  are  equivalent 
although  g  appears  positively  in  but  not  in  u>2-  0 

Theorem  8-16.  Let  U\  and  U2  be  two  null-free  updates  under  the  truth- 
maintenance  semantics,  where  <p  is  in  disjunctive  normal  form: 

t  For  the  truth-maintenance  semantics,  we  need  slightly  more  rigid  rules  on  what  con¬ 
stitutes  disjunctive  normal  form:  Add  the  requirement  that  if  F  appears  in  a  disjunct  of  a  wff 
in  disjunctive  normal  form,  then  F  is  the  only  conjunct  in  that  disjunct. 
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Ui:  INSERT  ui  WHERE  <f>, 

U2 :  INSERT  w2  WHERE  <f>. 

Then  U\  and  U2  are  equivalent  iff  for  all  satisfiable  disjuncts  D  of  <f>, 

(1)  red(u>i,  D)  and  red(u>2,  D)  contain  the  same  datoms  and  are  logically 

equivalent;  and 

(2)  If  a  datom  g  appears  positively  (resp.  negatively)  in  only  one  of  red(u;i, 

D )  and  red(u>2,  D),  then  g  appears  negatively  (resp.  positively)  in  D.  C* 

Example.  Consider  the  counterexample  given  earlier: 

Ui :  INSERT  ^V-^/VT  WHERE  (fAg)V(-*fA-<g), 

U2:  INSERT  /VyV^/V^  WHERE  (fAg)V(^fA-ig). 

Reduction  with  respect  to  fAg  yields  red(u>i ,  fAg)  =  (TV-^/VT)  and 
red(u>2,  fAg )  =  (/VgV-> fV-'g).  As  these  two  wffs  do  not  contain  the  same 
datoms,  Theorem  8-16  correctly  predicts  inequivalence.  0 

Example.  Consider  the  other  counterexample  given  earlier: 

Ui:  INSERT  ^VT  WHERE  g, 

U2:  INSERT  gV->g  WHERE  -i. g . 

These  two  updates  are  already  reduced.  As  u>i  and  u>2  are  logically  equivalent  and 
contain  the  same  datoms,  condition  (1)  for  equivalence  is  satisfied.  For  condition 
(2),  g  appears  positively  in  u>i  and  not  in  w2,  but  g  does  appear  negatively  in  so 
condition  (2)  is  satisfied.  Therefore  Theorem  8-16  correctly  predicts  equivalence 
of  Ui  and  U2.  0 

In  the  spectrum  of  choices  of  semantics,  the  truth-maintenance  semantics 
falls  somewhere  between  the  standard  semantics  and  the  minimal-change  seman¬ 
tics.  It  is  interesting  to  note  that  same  intermediate  nature  in  Theorem  8-16, 
which  falls  between  Theorems  8-10  and  8-12  in  its  requirements.  For  example,  as 
for  the  minimal-change  semantics,  reduction  in  Theorem  8-16  must  be  done  with 
respect  to  the  individual  disjuncts  of  <j>  rather  than  all  of  <j>  at  once.  The  syntactic 
element  in  the  standard  semantics  crops  up  in  the  requirement  of  Theorem  8-16 
that  red(u>i,  D)  and  red(w2,  D)  contain  the  same  datoms. 

Proof  of  Theorem  8-16.  If  <f>  is  false  in  a  model  M,  then  U\{M)  = 
U2(M).  If  <f>  is  true  in  M,  then  some  disjunct  D  of  <f>  is  true  in  M.  Let  U[ 
be  the  update  INSERT  red(u>i,  D)  WHERE  D,  and  let  U'2  be  the  update  INSERT 
red(u>2,  D)  WHERE  D.  By  principle  P2  and  Proposition  8-7,  Worlds(I7{(Af ))  = 
Worlds(I7i(Al)),  and  similarly  for  U2.  If  Ui  and  U2  are  equivalent,  then,  and 
U2  must  be  equivalent.  Conversely,  if  U\  and  U2  are  not  equivalent,  there  must 
be  some  disjunct  D  of  <f>  such  that  U[  and  U2  are  not  equivalent. 

We  now  turn  to  the  question  of  equivalence  for  the  updates  U[  and  U2. 
We  first  show  that  and  u>2  (i.e.,  red(u>i,  D)  and  red(u>2,  D ))  must  be  logically 
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equivalent  if  U[  and  U2  axe  equivalent.  Let  t;  be  a  particular  truth  valuation  that 
satisfies  say.  Let  u  be  a  truth  valuation  that  satisfies  D  and  agrees  with 

v  on  the  datoms  in  v  that  are  not  also  in  D.  Let  M  be  a  model  of  an  extended 
relational  theory  without  strict  axioms,  having  body  u.  Then  v  is  true  in  some 
model  M.'  6  U{ (At);  the  definition  of  reduction  ensures  that  rules  la  and  lb  in 
the  truth-maintenance  definition  of  INSERT  are  satisfied  by  v.  But  World(AT) 
cannot  be  a  member  of  WorldsCE/^Af)),  because  u>2  is  false  in  M' .  Therefore 
and  u>2  must  be  logically  equivalent  for  U[  and  U2  to  be  equivalent. 

We  now  show  that  wj  and  u>2  must  contain  the  same  datoms  if  U[  and  U2 
are  equivalent.  If  g  is  a  datom  that  is  a  subformula  of  but  not  of  u>2,  and  if  g 
does  not  occur  in  D ,  then  U[  and  U2  cannot  be  equivalent,  as  by  the  definition  of 
reduction,  U{  can  change  the  truth  valuation  of  g  but  U2  cannot.  If  g  does  occur 
in  D,  then  by  the  definition  of  reduction,  there  exists  a  truth  valuation  u  for  the 
datoms  of  <f>  and  u>i ,  such  that  D  is  true  under  u,  and  also  a  truth  valuation  v  for 
the  datoms  of  ui[ ,  such  that  that  ui[  is  true  under  v;  and  where  in  addition  g  has 
different  truth  valuations  in  u  and  v.  Let  At  be  a  model  of  an  extended  relational 
theory  without  strict  axioms,  having  body  u;  then  Worlds(f/{ ( At ))  includes  an 
alternative  world  where  v  is  true,  because  by  the  definition  of  reduction,  v  satisfies 
rules  la  and  lb  in  the  truth-maintenance  definition  of  INSERT.  We  conclude  that 
ui[  and  u'2  must  contain  the  same  datoms  if  U[  and  U2  are  equivalent. 

We  now  show  that  condition  (2)  is  necessary.  Suppose  g  is  a  datom  that 
occurs  positively  in  ui[  but  not  in  ui2 ,  and  g  does  not  occur  negatively  in  D.  Let 
M.  be  a  model  of  an  extended  relational  theory  without  strict  axioms,  having 
body  DAg.  Then  g  is  true  in  every  model  of  U[(M).  There  must  be  some  model 
«M'  of  U2(M)  in  which  g  is  false,  because  ->g  is  a  conjunct  of  some  disjunct  of  u2 
by  assumption,  and  by  the  definition  of  disjunctive  normal  form,  that  disjunct 
must  be  satisfiable.  But  then  U[  and  U2  cannot  be  equivalent.  The  proof  is 
symmetric  if  g  occurs  negatively  in  fred(u>i ,  D). 

To  show  that  these  conditions  are  sufficient  for  U{  and  U2  to  be  equivalent, 
suppose  and  u2  contain  the  same  datoms  and  are  logically  equivalent.  Let 
M  be  a  model  of  an  extended  relational  theory  T  without  strict  axioms.  If  D 
is  false  in  M,  then  U[  and  U2  are  equivalent.  Otherwise,  for  any  model  M!  in 
U[(M),  ui2  is  true  in  M.1,  because  u)[  and  u>2  are  logically  equivalent.  Therefore 
rule  2  in  the  truth-maintenance  definition  of  INSERT  is  satisfied  for  U2.  Rule  1 
is  satisfied  by  assumption.  For  rule  la,  suppose  that  g  is  true  in  M,  appears 
positively  in  u>2,  but  is  false  in  M! .  If  g  appears  in  D,  then  by  the  definition  of 
reduction,  g  is  not  a  datom  of  u2,  a  contradiction.  If  g  does  not  appear  in  D, 
then  by  condition  (2)  g  also  appears  positively  in  red(cjJ ,  D),  a  contradiction. 
The  proof  is  symmetric  for  rule  lb.  We  conclude  that  U{  and  U2  are  equivalent. 
0 


After  proving  Theorems  8-14  and  8-16,  the  author  was  led  to  the  conclusion 
that  the  truth-maintenance  semantics  would  not  be  the  most  fruitful  paradigm 
for  investigation,  due  to  its  complexity. 
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8.6.  Summary  and  Conclusion 

This  chapter  has  shown  that  it  is  possible  to  develop  necessary  and  sufficient 
conditions  to  determine  when  two  updates  will  be  equivalent,  under  a  variety  of 
choices  of  semantics.  Further,  a  number  of  basic  principles  regarding  equivalence 
axe  shared  by  a  broad  class  of  semantics,  as  illustrated  by  the  theorems  in  Section 
8-1.  Among  the  semantics  examined  in  detail,  the  conditions  for  equivalence  are 
most  simple  for  the  standard  semantics,  due  to  its  name-dropping  element,  and 
are  a  bit  more  complicated  for  the  minimal-change  semantics.  These  theorems  on 
equivalence  are  useful  when  debating  the  merits  of  diiferent  candidate  semantics 
for  an  application. 
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Chapter  9:  Implementation 


This  chapter  describes  an  implementation  constructed  for  the  Update  Al¬ 
gorithm,  and  gives  experimental  results  from  this  implementation.  The  goal  of 
the  implementation  effort  was  to  gauge  the  expected  performance  of  the  update 
and  query  processing  algorithms  in  a  traditional  database  management  system 
application.  The  implementation  was  tailored  to  this  environment,  and  for  that 
reason  the  techniques  used  and  results  obtained  will  apply  only  partially,  if  at 
all,  to  other  application  environments,  such  as  knowledge-based  artificial  intelli¬ 
gence  applications.  In  particular,  the  following  assumptions  and  restrictions  were 
made. 

•  Update  syntax  was  modified  and  restricted,  to  encourage  use  of  simple 
constructs. 

•  A  fixed  data  access  mechanism  (query  language)  was  assumed. 

•  A  large,  disk-resident  database  supplying  storage  for  the  body  of  the  ex¬ 
tended  relational  theory  was  assumed. 

•  Performance  was  equated  with  the  number  of  disk  accesses  required  to 
perform  queries  and  updates  after  a  long  series  of  updates,  and  the  storage 
space  required  after  a  long  series  of  updates. 

These  assumptions  and  restrictions  are  all  appropriate  to  traditional  data¬ 
base  management  scenarios;  they  will  be  discussed  in  more  detail  in  later  sections. 
We  begin  with  a  brief  high-level  description  of  the  implemented  system,  and  then 
examine  its  components  in  more  detail.  The  chapter  concludes  with  a  description 
of  the  experimental  results. 

9.1.  Overview 

The  Update  Algorithm  Version  II  was  chosen  for  implementation.  This  version  of 
the  Update  Algorithm  permits  both  null  values*  and  variables  to  occur  in  update 
requests.  Since  we  can  assume  that  the  parameters  of  the  average  case  are  known 
in  advance  in  a  traditional  database  management  system,  it  is  possible  to  gear  the 
implementation  of  the  Update  Algorithm  toward  this  expected  case,  rather  than 
orienting  the  implementation  toward  the  worst  case  as  was  done  in  the  presenta¬ 
tion  of  the  Update  Algorithm  in  Chapters  3  and  4.  Orienting  the  implementation 
toward  the  average  case  allowed  us  to  greatly  optimize  the  algorithm  to  improve 
performance  during  update  processing.  A  query  processor  was  also  constructed; 

♦  Skolem  constants,  in  logical  parlance;  in  this  chapter  we  will  use  the  non-logical  term. 
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because  the  expected  case  is  also  known  during  traditional  query  processing,  the 
query  processing  algorithms  were  also  thoroughly  optimized.  Both  the  query 
and  the  update  processing  routines  can  make  use,  when  necessary,  of  a  heuristic 
satisfiability  tester  to  help  optimize  performance.  The  implementation  is  coded 
entirely  in  C,  runs  on  a  VAX,  and  is  approximately  121  Kbytes  long  in  executable 
form.  We  do  not  include  this  code  here;  those  parties  interested  in  more  details 
of  the  implementation  than  are  presented  here  axe  invited  to  contact  the  author 
directly. 

Lazy  evaluation  was  not  implemented;  for  that  reason,  to  keep  the  size 
of  the  extended  relational  theory  within  reasonable  limits,  null  values  were  not 
permitted  to  occur  in  attributes  on  which  joins  were  performed  in  the  selection 
clauses  of  updates. 

The  exact  pattern  of  the  data,  and  the  individual  queries  and  updates  was 
determined  using  random  numbers  and  probability  distributions,  as  described  in 
Section  9.4.  Updates  and  queries  are  modeled  chiefly  in  terms  of  their  selectivity 
rather  than  their  syntax.  In  other  words,  because  the  goal  of  the  implementation 
is  a  count  of  the  disk  accesses  required  for  processing,  the  exact  syntax  of  a 
selection  clause  is  unimportant;  what  matters  is  how  many  disk  accesses  are 
required  to  process  that  selection  clause.  Profiles  for  updates  and  queries  were 
chosen  on  the  basis  of  selectivity  classes  rather  than  on  the  basis  of  syntactic 
features  such  as  numbers  of  disjuncts  and  conjuncts.  For  example,  all  selection 
clauses  that  require  accessing  10  datoms  of  T  axe  identical  for  the  purposes  of 
performance  measurement,  whether  those  selection  clauses  contain  just  single 
datoms  or  conjuncts  and  disjuncts  galore. 

The  implemented  version  of  update  syntax  differs  from  that  presented  in 
Chapter  3.  The  goal  of  the  modifications  was  to  tailor  syntax  to  the  operations 
expected  to  be  most  common  in  ordinary  database  management  systems.  This 
decision  is  expected  to  have  the  side  effect  of  mildly  discouraging  the  use  of  less 
common  (and  presumably  harder  to  perform)  forms  of  update  requests.  The 
restricted  syntax  does,  however,  have  the  same  expressive  power  as  the  original 
syntax;  some  changes  to  the  extended  relational  theory  that  could  be  accom¬ 
plished  in  one  update  may,  however,  now  require  multiple  updates.  The  exact 
restrictions  on  syntax  are  described  in  Section  9.5. 

9.2.  Data  Structures  and  Access  Techniques  for  Storing  Extended 
Relational  Theories 

The  extended  relational  theory  is  mapped  into  a  set  of  data  structures  for  storage 
on  disk.  The  data  structures  required  fall  into  five  general  categories: 

•  Datom  space. 

•  History  atom  space. 

•  Equality  atom  space. 

•  Logical  relationship  space. 
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Body  of  T:  i?(a)  V  iZ(6),  i2(a)  V  R(e). 


B-Tree 


Datom 


Heads  of 
Pointer  Chains 


Relationship 

Space: 

(shown  in 

unnormalized 

form) 


Figure  9-1.  Datom  and  logical  relationship  space. 

•  Data  structures  for  satisfiability  testing. 

The  unique  name  axioms  and  completion  axioms  are  implicitly  present  and  are 
not  stored.  Figure  9-1  shows  a  simplified  version  of  these  data  structures  for  the 
extended  relational  theory  with  body  R(a)\/ R(e). 
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In  the  following  four  subsections  we  give  a  high-level  overview  of  each 
type  of  data  structure.  The  final  subsection  gives  the  full  details  of  the  data 
structures. 

9.2.1.  Datom  Space 

Datom  space  is  organized  much  as  ordinary  database  tuple  storage,  with  datoms 
packed  into  disk  blocks  and  accessed  using  B-tree  indices  on  their  attributes.  In 
fact,  to  obtain  the  running  time  estimates  given  in  Chapters  3  and  4,  all  datoms 
in  the  body  of  an  extended  relational  theory  T  must  have  a  lookup  and  insertion 
time  of  0(log  R),  where  R  is  the  maximum  number  of  datoms  in  T  over  the  same 
predicate.  The  predicates  are  not  assumed  to  have  keys. 

9.2.2.  History  Atom  Space 

As  presented  in  Chapters  3  and  4,  the  Update  Algorithm  makes  heavy  use  of 
history  atoms.  But  history  atoms  axe  not  strictly  necessary;  there  is  no  reason  to 
use  them  if  there  is  an  equivalent  method  of  performing  a  particular  update  that 
uses  less  space  than  would  be  required  under  the  history  atom  method.  For  this 
reason,  the  implementation  of  the  Update  Algorithm  only  makes  use  of  history 
atoms  when  it  is  difficult  or  impossible  to  get  along  without  them.  For  example, 
the  “typical”  update  in  practice  is  expected  to  have  a  very  simple  selection  clause, 
typically  one  that  is  true  in  all  alternative  worlds.  If  u  is  also  simple,  one  can 
almost  always  “update  in  place”,  and  no  datoms  need  be  replaced  by  history 
atoms — Steps  2  and  4  become  superfluous. 

History  atoms  are  stored  separately  from  datoms.  Much  less  information 
must  be  stored  for  a  history  atom  than  for  a  datom,  because  little  is  important 
about  a  history  atom  except  its  unique  ID.  In  particular,  its  attribute  values  axe 
only  important  insomuch  as  they  determine  which  other  history  atoms  that  atom 
unifies  with;  and  if  there  axe  no  unifications  with  other  atoms,  then  nothing  need 
be  stored  for  that  atom  other  than  its  unique  ID.  Further,  the  set  of  atoms  with 
which  a  history  atom  unifies  is  fixed  at  the  time  an  update  is  performed.  Since 
we  expect  few  unifications  in  practice,  the  implementation  reduces  all  history 
atoms  H(f,  U)  to  unique  IDs  hi,h2,...  (predicate  constants,  in  the  language  of 
mathematical  logic).  If  some  history  atom  hi  unifies  with  another  atom  /12  under 
most  general  substitution  <7,  then  the  additional  formula  a  — *■  (hi  «->  /12)  must 
also  be  stored  in  T.  This  simplification  of  history  atoms  is  expected  to  reduce 
the  size  of  T  greatly,  as  history  atom  unifications  will  be  rare. 

9.2.3.  Equality  Atom  Space 

Equality  atoms  that  axe  true  in  all  alternative  worlds  have  special  data  structures 
dedicated  to  them.  Restrictions  on  the  possible  values  of  a  Skolem  constant  are 
stored  in  the  same  disk  block  as  one  of  the  datoms  in  which  that  null  value  occurs 
(its  home  datom).  In  addition,  if  the  null  value  is  known  to  be  equal  to  any  other 
null  values  (e.g.,  €1=62),  the  data  structure  for  each  datom  in  which  it  occurs 
includes  a  pointer  to  a  list  of  those  other  null  values. 
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9.2.4.  Logical  Relationship  Space 

An  outside  logical  relationship  of  a  datom  /  is  a  wff  in  the  body  of  T  that  contains 
/  and  other  atoms.  For  example,  if  /  only  occurs  as  a  separate  formula  in  the 
body  of  T ,  then  /  does  not  take  paxt  in  any  outside  logical  relationships.  If  the 
formula  /Vo  occurs  in  the  body  of  7”,  however,  then  /  participates  in  an  outside 
logical  relationship. 

The  history  substitution  step  (Step  2)  is  the  bottleneck  for  the  Update 
Algorithm.  To  make  renaming  fast  and  achieve  the  time  bounds  presented  in 
Chapters  3  and  4,  all  occurrences  of  a  datom  /  in  the  body  of  T  must  be  repre¬ 
sented  on  disk  by  pointers  to  a  block  of  storage  where  f  is  actually  kept,  so  that 
the  substitution  of  H(f,U )  for  /,  if  required,  can  be  done  in  constant  time.  In 
other  words,  rather  than  storing  the  wffs  of  the  body  of  T  directly,  the  wffs  are 
mapped  into  a  data  structure  that  contains  pointers  into  a  separate  name  space 
where  names  of  datoms  are  kept — datom  space. 

All  occurrences  of  the  same  atom  or  history  atom  in  logical  relationship 
space  are  linked  together  in  a  chain  whose  head  is  either  an  index  entry  for  a 
datom  or  a  history  atom  unique  ID. 

To  facilitate  satisfiability  testing,  logical  relationships  are  not  stored  as 
they  would  appear  in  the  body  of  T,  but  rather  are  converted  into  a  normal  form 
that  is  convenient  for  satisfiability  testing.  This  normal  form  uses  only  one  logical 
operation,  a  variant  on  exclusive-or  called  exact— or.  When  normalized,  the  body 
of  the  extended  relational  theory  is  just  a  list  of  alternative  sets,  or  sets  of  pointers 
to  atoms,  related  by  exact— or.  If  a  set  of  atoms  is  related  by  exact— or,  then 
exactly  one  of  those  atoms  must  be  true  in  any  model  of  the  extended  relational 
theory.  Exact-or  differs  from  exclusive-or  in  that  exact-or  is  not  associative — 
not  a  proper  operator  at  all.  It  is  extremely  easy  to  write  a  heuristic  satisfiability 
tester  (described  in  Section  9.2.4)  that  works  on  alternative  sets.  Such  a  tester 
can  be  captured  in  a  page  of  C  code,  unlike  a  satisfiability  tester  for  formulas 
containing  A,  V,  and  The  potential  pitfall  of  using  alternative  sets  is  that  like 
any  other  normal  form,  conversion  to  alternative  sets  may  exponentially  increase 
the  length  of  a  formula  in  the  worst  case. 

9.2.5.  Data  Structures  for  Satisfiability  Testing 

A  heuristic  satisfiability  tester  is  an  important  part  of  an  efficient  implementation 
of  the  Update  Algorithm.  “Heuristic”  means  that  when  testing  satisfiability  of  a 
wff  a,  in  addition  to  the  obvious  responses  of  “satisfiable”  and  “unsatisfiable” ,  the 
satisfiability  tester  may  decide  that  it’s  too  hard  to  tell  whether  o  is  satisfiable, 
and  respond  accordingly.  This  satisfiability  tester  is  guaranteed  to  stop  in  a 
polynomial  number  of  steps  (that  is,  polynomial  in  the  number  of  stored  atoms). 

To  test  satisfiability  efficiently,  once  a  decision  has  been  made  on  the  truth 
valuation  of  an  atom  /,  all  other  occurrences  of  /  in  the  body  of  T  must  be  located 
quickly.  To  achieve  this,  in  the  implementation  all  occurrences  of  the  same  atom 
in  the  body  of  T  are  linked  together  in  a  list  whose  head  is  an  index  entry. 
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The  other  data  structure  needed  for  heuristic  satisfiability  testing  is  an 
array  of  bits  to  keep  track  of  the  decisions  made  so  far  on  atom  truth  valuations. 

9.2.6.  Details  of  Data  Structures 

In  agreement  with  traditional  relational  database  terminology,  in  this  discussion 
the  arguments  to  a  predicate  are  generically  termed  attributes  and  the  values  for 
those  attributes  in  a  particular  datom  are  called  attribute  values. 

For  an  efficient  implementation,  much  more  must  be  stored  on  disk  for  each 
datom  than  just  its  attribute  values.  The  following  data  structure  description 
shows  what  data  structure  fields  our  implementation  stores  for  a  three— attribute 
datom;  there  are  13  fields,  the  last  three  of  which  contain  the  attribute  value 
information  for  the  datom. 

1.  Datom  ID(s). 

2.  Does  this  datom  contain  null  values  or  participate  in  outside  logical  rela¬ 
tionships?  (Yes/No) 

3.  Does  this  datom  participate  in  outside  logical  relationships?  (Yes/No) 

4-6.  Is  there  a  Skolem  constant  for  the  attribute  value  of  attribute  1-3? 

(Yes/No  for  each  attribute) 

7-9.  Pointers  to  MarkLists  for  attributes  1-3. 

10.  Pointer  to  AltSetList. 

11-13.  Attribute  value  or  pointer  to  null  value  for  attributes  1-3. 

The  data  structure  for  datoms  contains  pointers  to  MarkLists,  AltSetLists, 
and  null  values.  Let  us  first  describe  the  data  structures  used  for  null  values. 

If  an  INSERT  request  is  received  for  a  datom  that  includes  a  null  value  as 
an  attribute  value,  then  that  field  is  so  flagged  in  a  header  for  the  datom,  and 
in  place  of  the  attribute  value  a  pointer  is  stored  to  a  null  value  data  structure 
in  the  same  block  of  disk  storage.  The  null  value  data  structure  consists  of  an 
ordered  fist  of  begin/end  range  values,  with  a  provision  for  open  ranges.  This 
gives  a  reasonable  simulation  of  Skolem  constants  in  a  variety  of  domains  (e.g., 
strings,  integers,  reals).  The  implementation  uses  a  linked  list,  but  there  might 
be  a  better  choice;  the  actual  data  structure  is  not  important  for  performance 
measurement,  as  long  as  one  can  get  the  null  value  information  during  the  same 
disk  access  as  the  rest  of  the  datom. 

MarkLists  are  lists  of  the  equality  atoms  in  which  a  Skolem  constant  oc¬ 
curs.  “Marked  nulls”  is  the  traditional  name  in  the  database  community  literature 
for  the  case  when  two  null  values  are  known  to  be  equal  to  one  another.  The 
actual  data  structure  used  is  a  header  followed  by  a  linked  list  of  datom  IDs  and 
attribute  numbers.  The  performance  measurements  assume  that  each  MarkList 
can  be  fully  contained  on  a  block  of  disk  storage. 

One  of  the  drawbacks  of  using  alternative  sets  of  atoms  are  that  alternative 
sets  are  very  fussy  about  only  one  of  their  member  atoms  being  true  in  any  single 
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alternative  world.  This  causes  a  lot  of  pain  in  the  case  where  one  wants  to  express 
concepts  such  as  disjunction.  Since  the  implementation  of  alternative  sets  lists 
member  datoms  and  history  atoms  by  atom  ID,  to  implement  disjunctions  the 
representation  cheats  by  using  multiple  datom  IDs  for  the  same  datom.  This  was 
easy  to  implement;  due  to  the  presence  of  null  values  and  the  lack  of  keys,  the 
implementation  already  had  to  provide  for  more  than  one  datom  per  index  value. 

The  implemented  AltSetList  looks  like  a  MarkList.  The  main  difference 
between  them  is  that  some  atom  IDs  in  an  AltSetList  may  be  over  a  special 
predicate,  the  history  predicate.  These  history  atom  unique  IDs  occur  plentifully 
when  alternative  set  normal  form  is  used.  A  history  atom  unique  ID  is  just  an 
index  into  the  History  Atom  Array;  in  that  array  a  list  is  stored  for  each  history 
atom,  containing  pointers  to  the  alternative  sets  where  that  history  atom  appears. 

Associated  with  the  AltSetLists  are  a  few  extra  bits  to  help  the  satisfia¬ 
bility  testing  routine  remember  which  truth  valuations  have  been  decided  so  far. 
The  bits  are  arranged  so  that  the  satisfiability  tester  would  not  have  to  hop  all 
over  disk  to  turn  those  bits  off  after  the  testing  is  done;  they  are  kept  together 
in  one  array,  hashed  on  datom  and  history  atom  ID.  This  array  is  to  be  loaded 
into  main  memory  when  the  database  is  first  opened. 

The  HistoryAtomArray  fits  on  as  many  contiguous  blocks  of  disk  as  its 
length  requires.  Its  storage  is  managed  by  a  manager  that  keeps  track  of  free 
slots.  Each  slot  represents  a  different  history  atom,  and  contains  a  pointer  off  to 
a  list  of  the  alternative  sets  that  that  history  atom  occurs  in. 

9.3.  Implementation  of  the  Update  Algorithm 

The  Update  Algorithm  as  implemented  does  not  look  like  very  much  like  its 
presentation  in  Chapter  4.  This  is  because  the  presentation  in  Chapter  4  was 
geared  toward  streamlined  handling  of  the  general  case,  that  is,  the  worst  case. 
In  contrast,  the  implemented  version  is  geared  toward  streamlined  handling  of  the 
expected  case.  The  “typical”  datom  in  the  extended  relational  theory  is  expected 
to  be  true  in  all  alternative  worlds,  and  hence  the  query  and  update  algorithms 
are  oriented  heavily  toward  dealing  with  datoms  that  are  true  (or  false)  in  all 
alternative  worlds. 

This  orientation  leads  to  the  use  of  a  hierarchy  of  update  processing  rou¬ 
tines.  At  the  top  of  the  hierarchy  are  procedures  that  work  correctly  when  datoms 
do  not  contain  null  values  and  are  not  involved  in  any  outside  logical  relation¬ 
ships.  At  the  lowest  level  are  routines  that  know  how  to  handle  arbitrary  outside 
logical  relationships.  The  implemented  version  of  the  Update  Algorithm  operates 
at  all  times  in  the  highest  possible  level  of  this  uncertainty  hierarchy.  A  simplified 
version  of  the  hierarchy  for  ground  requests  follows. 

1.  All  atoms  involved  in  this  query /update  are  true  in  all  alternative 
worlds,  so  process  this  request  as  though  in  an  ordinary  database. 

2.  There  are  null  values  in  one  of  the  atoms  involved  in  this  request,  but 
the  null  values  are  not  relevant  to  this  particular  request,  so  they  can  be  ignored. 
Further,  the  atoms  are  not  involved  in  any  outside  logical  relationships. 
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3.  There  are  null  values  in  one  of  the  atoms  involved  in  this  request,  but 
the  atom  and  its  null  values  are  not  involved  in  any  outside  logical  relationships, 
so  the  uncertainty  can  be  dealt  with  locally. 

4.  Some  atoms  or  null  values  of  the  request  are  involved  in  outside  logical 
relationships,  and  a  heuristic  satisfiability  tester  needs  to  be  called  before  any 
updates  are  performed  or  the  query  answer  is  returned. 

The  determination  of  the  correct  level  of  the  hierarchy  is  done  as  rapidly 
as  possible;  dedicated  fields  in  the  stored  datom  are  maintained  to  give  that 
information.  The  determination  of  the  correct  level  of  the  hierarchy  is  done 
separately  for  each  set  of  bindings  to  variables  in  the  update  or  query. 

The  hierarchy  is  organized  in  accordance  with  the  expected  frequency  of 
different  types  of  uncertainty  in  the  extended  relational  theory.  For  example, 
null  values  are  expected  to  be  the  most  common  type  of  uncertainty,  and  null 
values  are  expected  to  be  less  frequent  in  the  “important”  attributes  (i.e.,  those 
appearing  in  joins  or  equality  atoms  in  <f>  and  a;).  For  that  reason,  the  implemen¬ 
tation  is  optimized  to  work  most  efficiently  at  higher  levels  of  the  hierarchy.  In 
particular,  if  no  uncertainty  is  present  at  all,  then  queries  and  updates  will  be 
processed  as  fast  as  though  the  database  management  system  had  never  heard  of 
uncertainty  (except  for  effects  due  to  the  slightly  higher  space  required  for  tuple 
storage).  Under  this  school  of  thought,  if  one  doesn’t  use  the  expressive  power 
of  the  extended  relational  theory,  then  one  needn’t  pay  for  it. 

Conceptually,  a  practical  implementation  of  the  Update  Algorithm  will 
begin  by  instantiating  the  variables  of  the  update  or  query  request  U ,  attempting 
to  satisfy  the  selection  clause  <j>  of  U.  The  process  of  instantiation  will  be  guided 
by  the  use  of  safe  selection  clauses,  construed  in  this  implementation  to  mean 
roughly  that  each  instantiation  of  a  variable  should  be  a  most  general  choice  that 
will  lead  a  datom  of  <f>  to  unify  with  a  datom  already  in  the  extended  relational 
theory.  The  instantiation  process  stops  as  soon  as  <j>  is  satisfied  and  all  variables 
in  u)  are  bound.  As  an  example  optimization  used  in  the  implementation,  at 
this  point  the  bound  version  4>'  of  <f>  is  minimized  in  length.  For  example,  all 
atoms  in  4>'  that  are  known  to  be  true  (resp.  false)  in  all  alternative  worlds  are 
replaced  by  the  truth  value  T  (resp.  F).  In  the  average  case,  <f>'  will  be  reduced 
to  T  if  the  request  is  an  insertion.  In  the  worst  case,  <f>'  should  be  reduced  to 
a  conjunction  of  a  very  small  number  of  literals,  say  no  more  them  three.  This 
important  minimization  reduces  the  number  of  atoms  that  must  be  added  to  T 
to  perform  U. 

9.4.  Data 

This  section  describes  the  data  used  as  input  to  the  performance  measurement 
runs. 

For  performance  measurement,  an  extended  relational  theory  containing 
“real”  data  (e.g.,  employees,  managers,  and  departments)  could  not  give  suffi¬ 
ciently  empirical  results.  For  example,  what  would  constitute  a  “representative” 
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set  of  queries  and  updates?  Therefore  for  performance  measurement,  the  impor¬ 
tant  parameters  of  individual  queries  and  updates  are  chosen  randomly  accord¬ 
ing  to  pre-specified  probability  distributions  (described  below).  The  individual 
queries  and  updates  are  reduced  to  a  set  of  statistical  profiles,  so  that  datoms 
are  selected  to  satisfy  selection  clauses  according  to  the  dictates  of  probability 
distributions. 

A  simple  approach  to  queries  is  to  divide  query  answers  into  three  cate¬ 
gories:  sets  of  datoms  known  to  satisfy  the  query,  sets  of  datoms  known  to  satisfy 
the  query  in  some  alternative  worlds  but  not  in  others,  and  sets  of  datoms  that 
may  possibly  satisfy  the  query.  The  latter  class  consists  of  those  sets  of  datoms 
for  which  the  heuristic  satisfiability  tester  was  unable  to  reach  a  conclusion  on 
theoremhood. 

The  extended  relational  theory  T  contains  three  database  predicates,  each 
with  three  attributes.  Indexes  are  stored  for  all  three  attributes.  At  the  beginning 
of  a  nm,  all  three  database  predicates  have  the  same  number  of  datoms  occurring 
in  T ;  the  exact  number  is  a  parameter  set  at  the  beginning  of  the  run,  typically 
1000  or  200.  Non-Skolem-constant  datom  attribute  values  are  distributed  uni¬ 
formly  over  an  infinite  range.  The  chance  of  null  values  occurring  as  attribute 
values  in  datoms,  both  initially  and  when  datoms  are  added  using  INSERT  and 
MODIFY,  is  controlled  by  probabilities  selected  at  the  beginning  of  a  performance 
run.  These  probabilities  control  the  number  of  introduced  datoms  having  zero, 
one,  and  two  null  values  as  attribute  values.  In  addition,  the  type  of  range  re¬ 
strictions,  if  any,  on  null  values  at  the  time  of  their  home  datom  insertion  is 
controlled  by  probabilities  set  at  the  beginning  of  a  performance  run.  Null  values 
can  either  be  unrestricted,  meaning  they  can  take  on  any  value  in  the  underlying 
attribute  domain;  or  they  are  restricted  to  a  range,  the  size  of  which  is  chosen 
uniformly  on  an  interval  also  selected  at  run  time;  or  else  they  are  restricted  to 
three  values.  Of  course  these  restrictions  can  be  altered  by  subsequent  updates. 

Disk  block  size  is  also  a  parameter  set  at  run  time.  Datom  size  is  set 
to  100  bytes.  A  block  packing  factor  of  69%  (derived  from  various  studies;  see 
[Wiederhold  83])  is  assumed. 

9.5.  Updates  and  Queries 

We  first  cover  the  syntax  for  updates  and  queries,  then  look  at  the  method  used  to 
generate  particular  profiles  of  updates  and  queries  for  performance  measurement. 

Rather  than  using  one  single  update  operation,  four  operators  are  made 
available:  INSERT,  DELETE,  and  MODIFY  (all  discussed  in  Chapter  3),  and  also  an 
operation  called  ASSERT,  with  syntax  and  semantics  as  follows: 

ASSERT  <f>:  Eliminate  every  alternative  world  of  T  that  is  not  a  model  of  {T,  <£}. 

The  mix  of  the  different  types  of  updates  and  queries  is  controlled  by 
parameters  selected  at  the  start  of  each  performance  measurement  run. 
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In  the  implemented  version  of  update  requests,  no  more  than  one  datom 
can  occur  in  u.  The  wff  u  can  contain  just  /,  or  /  V  T  (written  MAYBE(/)  for 
ease  of  programming),  or  either  of  these  in  conjunction  with  range  restrictions  on 
null  values.  Further,  any  null  values  in  /  cannot  already  occur  in  T .  (Assertions 
can  be  used  later  to  equate  pairs  of  null  values.)  More  complicated  us  containing 
additional  atoms  can  be  simulated  using  multiple  updates  within  one  transaction. 


9.5.1.  Selection  Clause  Profiles 

As  implemented,  processing  of  every  selection  clause  other  than  the  truth  value  T 
begins  with  a  selection  phase.  The  relation  and  attribute  for  the  initial  selection 
is  chosen  randomly  from  a  uniform  distribution.  These  selections  fall  into  five 
different  groups,  based  on  the  number  of  datoms  they  select. 

1.  One  datom  is  selected  via  index  lookup  on  attribute  value.  Any  ad¬ 
ditional  datoms  with  null  values  that  could  be  equal  to  that  attribute  value  are 
included  in  the  result. 

2.  A  small  set  of  datoms  is  selected  via  index  lookup.  A  uniform  distribu¬ 
tion  is  used  to  determine  the  size  of  the  set,  which  can  range  between  zero  and 
a  parameterized  upper  limit  (typically  50  datoms).  Any  additional  datoms  with 
null  values  that  could  be  equal  to  that  attribute  value  are  included  in  the  result. 

3.  A  percentage  of  the  datoms  over  a  predicate  are  selected  via  index 
lookup.  The  percentage  is  selected  using  an  Erlang  distribution  (m  =  2,  /  =  2, 
total  =  2.5)  that  typically  selects  10%  of  the  datoms  over  a  predicate.  The  Erlang 
distribution  (see  e.g.  [Wiederhold  83])  is  often  used  to  model  natural  phenomena; 
the  graph  of  its  probability  distribution  starts  off  at  m  =  2  at  a  high  probability, 
quickly  rises  to  its  maximum,  then  falls  into  a  long  tail.  Any  additional  datoms 
with  null  values  that  could  be  equal  to  that  attribute  value  are  included  in  the 
result. 

4.  Range  selection:  All  datoms  within  two  delimiting  points  in  an  attribute 
index  are  selected.  Size  of  range  is  chosen  uniformly  from  an  interval  selected  at 
the  beginning  of  the  performance  run.  (A  Zipfian  distribution  [Knuth  73]  would 
have  been  more  appropriate,  as  discussed  below,  but  was  bypassed  due  to  the 
difficulty  of  implementing  it.)  Any  additional  datoms  with  null  values  that  could 
fall  within  that  range  are  included  in  the  result. 

5.  A  sequential  scan  is  conducted  of  the  datoms  in  the  extended  relational 
theory  over  some  predicate,  resulting  in  the  eventual  selection  of  a  small  set  of 
datoms  over  that  predicate.  Again,  the  size  of  the  set  is  chosen  uniformly  from 
an  interval  selected  at  the  beginning  of  the  performance  run,  and  any  additional 
datoms  with  null  values  that  could  be  equal  to  that  attribute  value  are  included 
in  the  result. 

The  type  of  the  selection  clause  of  the  current  request  is  selected  at  run 
time  using  random  numbers  and  expected  distributions  of  selection  clause  types 
for  queries  and  for  updates.  Updates  axe  strongly  biased  towards  selection  of 
individual  datoms  (type  1)  or  the  truth  value  T,  in  accordance  with  traditional 
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database  updates.  (Of  course,  if  every  datom  in  the  extended  relational  theory 
has  a  null  value  for  some  attribute,  then  even  a  type  1  selection  clause  could 
return  all  the  datoms  in  the  theory.)  Further,  no  selection  clauses  of  type  3  are 
allowed  in  updates,  as  it  is  our  belief  that  the  number  of  tuples  changed  by  an 
update  is  not  a  function  of  the  size  of  the  database. 

Once  the  size  of  the  result  of  a  selection  has  been  decided,  the  actual 
datoms  satisfying  the  selection  must  be  chosen.  The  implementation  uses  a  uni¬ 
form  probability  distribution  to  select  datoms  from  the  predicates.  Choice  of 
predicate  for  the  selection  is  also  made  uniformly. 

9.5.2.  Join  Profiles 

After  the  initial  selection  phase,  between  zero  and  two  joins  are  executed.  Ex¬ 
pected  percentages  of  updates  and  queries  with  zero,  one,  and  two  joins  are 
chosen  at  the  beginning  of  the  performance  measurement  run;  generally  updates 
are  expected  to  have  a  high  likelihood  of  having  no  more  than  one  join.  After  the 
initial  selection  phase,  the  order  of  joining  of  relations  is  chosen,  using  a  uniform 
distribution. 

9.5.3.  Projection 

Projection  is  not  modeled,  because  it  is  not  expected  to  have  a  large  effect  on 
the  comparative  disk  access  costs  for  extended  relational  theories  and  complete- 
information  relational  databases. 

9.6.  Update  Implementation  Technique 

It  was  our  belief  that  the  most  economical  route  in  the  long  run  was  to  minimize 
the  amount  of  information  in  logical  relationship  space,  at  the  expense  of  datom 
space.  In  other  words,  if  there  are  two  ways  to  represent  the  result  of  an  update 
in  the  extended  relational  theory,  and  one  way  adds  more  to  datom  space  but 
less  to  logical  relationship  space  than  does  the  other,  then  the  former  method 
is  preferred.  The  idea  is  to  have  as  much  information  as  possible  stored  in  a 
simple,  flat  format  that  will  not  require  use  of  expensive  procedures  for  analysis. 
With  this  goal  in  mind,  the  implementation  avoids  having  to  store  equality  atoms 
by  making  heavy  use  of  a  procedure  called  tuple  splitting  [Keller  85],  described 
briefly  below. 

Consider  an  extended  relational  theory  with  body  Emp(e,  CSD).  Suppose 
an  update  arrives  with  selection  clause  Emp(Reid,  CSD).  Then,  loosely  speaking, 
the  datom  Emp(e,  CSD)  satisfies  that  selection  clause  in  some  alternative  worlds 
and  not  in  others.  If  the  update  is  INSERT  Mgr(Nilsson,  CSD)  WHERE  Emp(Reid, 
CSD),  then  the  truth  valuation  of  the  new  datom  Mgr(Nilsson,  CSD)  is  going  to 
depend  on  the  value  of  e.  We  chose  to  avoid  proliferation  of  atoms  such  as  e=Reid 
by  splitting  Emp(e,  CSD)  into  two  stored  datoms  Emp(Reid,  CSD)  and  Emp(e, 
CSD),  where  (1)  the  new  datom  Emp(e,  CSD)  has  a  range  restriction  that  e  is 
not  Reid,  and  (2)  the  two  datoms  appear  together  in  an  alternative  set.  Then  the 
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selection  clause  is  satisfied  by  the  datom  Emp(Reid,  CSD)  in  all  of  the  alternative 
worlds  where  Emp(Reid,  CSD)  is  true,  and  is  not  satisfied  by  the  other  stored 
datom  in  any  world  where  that  datom  is  true.  In  the  implementation,  whenever 
a  datom  only  satisfies  the  selection  clause  of  an  update  in  some  of  the  worlds 
where  that  datom  is  true,  then  that  datom  is  split  until  this  is  no  longer  the  case. 
When  a  datom  is  split,  its  alternative  sets  must  be  changed,  and  also  all  tuples 
on  its  mark  list  may  require  splitting  to  preserve  the  alternative  worlds  of  the 
extended  relational  theory.  We  prefer  not  to  present  the  details  of  this  process, 
as  it  is  quite  intricate. 

9.7.  Experimental  Results  and  Discussion 

In  this  section  we  describe  the  behavior  of  the  implementation  with  respect  to 
two  parameters:  disk  accesses  required  to  execute  a  set  of  queries  after  a  certain 
number  of  updates  has  been  completed,  and  size  of  relations  (i.e.,  number  of 
stored  datoms  over  the  same  predicate)  after  a  series  of  updates.  We  first  examine 
relation  size,  then  disk  access  count,  and  then  give  some  general  comments. 

9.7.1.  Relation  Size 

As  described  earlier,  the  input  to  a  simulation  run  consists  of  three  rela¬ 
tions/predicates,  each  with  three  attributes,  and  each  with  the  same  number  of 
stored  datoms.  Each  stored  datom  is  known  to  be  true  in  all  alternative  worlds 
at  the  beginning  of  the  run.  Then  a  long  series  of  hundreds  or  thousands  of 
updates  is  applied  while  the  size  of  the  three  relations  is  monitored.  Most  of  our 
runs  used  an  initial  relation  size  of  200  datoms;  experiments  were  also  performed 
with  initial  sizes  of  1000  and  20.  These  runs  were  all  very  interesting  to  watch;  a 
number  of  phenomena  deserve  mention.  First  we  describe  the  parameter  settings 
used  for  this  set  of  runs,  summarized  in  Table  9-1. 

These  parameters  are  intended  to  model  a  scenario  where  80%  of  the  in¬ 
coming  INSERT  requests  are  for  datoms  that  are  to  be.  true  in  all  alternative 
worlds.  Of  the  remaining  20%,  one  null  value  appears  in  18%  of  the  datom  in¬ 
sertion  requests,  and  two  null  values  appear  in  the  remaining  2%.  Every  inserted 
datom  has  some  non— null  value  as  an  argument,  because  one  attribute  is  required 
to  be  null-free,  to  permit  joins  at  a  reasonable  cost  for  these  large  relations.  In 
keeping  with  this  80/20  approach,  a  MODIFY  request  has  an  80%  chance  of  mod¬ 
ifying  an  attribute  value  to  be  a  constant,  and  a  20%  chance  of  modifying  it  to 
be  a  null  value.  Half  of  the  unknown  values  in  inserted  datoms  are  restricted 
to  small  sets,  containing  three  possible  values  initially.  These  represent  inserted 
datoms  like  Emp(e,  CSD)A(e=Reid  V  e=Nilsson).  The  other  half  of  the  inserted 
null  values  have  unrestricted  ranges,  meaning  that  they  can  assume  any  value 
from  an  infinite  domain.  Emp(e,  CSD)  is  an  example  of  this  type  of  unrestricted 
insertion. 

The  breakdown  of  update  types  was  40%  MODIFY  requests  and  20%  each 
INSERT,  DELETE,  and  ASSERT  requests.  The  sensitivity  of  our  results  to  the  value 
of  the  ASSERT  parameter  will  be  discussed  below. 
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200  Number  of  datoms  in  each  relation  at  start  of  run 

20  Upper  bound  on  “small  set”  size  for  type  2  selection  clauses 

.20  Percentage  of  updates  that  are  insertions 

.40  Percentage  of  updates  that  are  modifications 

.20  Percentage  of  updates  that  are  deletions 

.20  Percentage  of  updates  that  are  assertions 

.20  Percentage  of  modifications  that  introduce  set  nulls 

.80  Percentage  of  type  1  selection  clauses  for  insertions 

.20  Percentage  of  type  2  selection  clauses  for  insertions 

.58  Percentage  of  type  1  selection  clauses  for  modifications 

.34  Percentage  of  type  2  selection  clauses  for  modifications 

.00  Percentage  of  type  3  selection  clauses  for  modifications 

.06  Percentage  of  type  4  selection  clauses  for  modifications 

.02  Percentage  of  type  5  selection  clauses  for  modifications 

.75  Percentage  of  type  1  selection  clauses  for  deletions 

.15  Percentage  of  type  2  selection  clauses  for  deletions 

.00  Percentage  of  type  3  selection  clauses  for  deletions 

.05  Percentage  of  type  4  selection  clauses  for  deletions 

.05  Percentage  of  type  5  selection  clauses  for  deletions 

.20  Percentage  of  type  1  selection  clauses  for  queries 

.20  Percentage  of  type  2  selection  clauses  for  queries 

.20  Percentage  of  type  3  selection  clauses  for  queries 

.20  Percentage  of  type  4  selection  clauses  for  queries 

.20  Percentage  of  type  5  selection  clauses  for  queries 

.40  Percentage  of  queries  with  no  joins  in  the  selection  clause 

.35  Percentage  of  queries  with  one  join  in  the  selection  clause 

.25  Percentage  of  queries  with  two  joins  in  the  selection  clause - 

.50  Chance  of  an  inserted  set  null  having  an  unrestricted  domain 

.80  Chance  of  an  inserted  tuple  having  no  null  values 

.18  Chance  of  an  inserted  tuple  having  one  null  value 

.02  Chance  of  an  inserted  tuple  having  two  null  values 

Table  9-1.  Major  input  parameters  for  a  series  of  runs. 

Figures  9-2  and  9-3  show  the  number  of  stored  datoms  for  each  of  the 
three  relations  over  a  long  series  of  updates,  taken  from  a  run  with  an  initial 
relation  size  of  200  datoms.  Figure  9-2  gives  a  close-up  view  of  the  behavior  of 
the  relations  between  updates  2700  and  3700.  The  starting  and  stopping  points 
were  taken  at  random  from  a  run  of  over  6000  updates.  Figure  9-3  takes  a 
longer-term  view,  covering  updates  2500  through  5250.  These  figures  bring  out 
two  important  points  about  this  typical  run: 
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X  axis:  number  of  updates;  Y  axis:  relation  size. 

Figure  9-2.  Relation  size  after  a  series  of  updates. 


Figure  9-3.  Relation  size  after  a  series  of  updates. 
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•  Relation  size  does  not  increase  with  time. 

•  Relation  size  has  a  high  variance. 

The  sudden,  dramatic  rises  in  relation  size,  followed  immediately  by  major 
collapses,  made  this  run  and  its  brethren  very  exciting  to  watch.  What  causes 
those  dramatic  peaks?  Over  such  a  long  series  of  updates,  events  with  low  prob¬ 
ability  of  occurring  at  any  one  moment  have  a  high  probability  of  occurring  at 
some  point.  Those  peaks  are  caused  by  repeated  splits  of  datoms  like  Emp(e, 
CSD):  a  long  series  of  updates  all  have  selection  clauses  that  unify  with  Emp(e, 
CSD),  and  that  datom  is  split  again  and  again,  causing  a  sudden  explosion  in  the 
size  of  the  alternative  sets  of  the  datom.  Then  the  law  of  averages  takes  effect: 
an  ASSERT  request  establishes  that  a  datom  in  one  of  those  large  alternative  sets 
is  true  in  all  alternative  worlds,  and  the  entire  huge  alternative  set  vanishes  with 
that  ASSERT  request.  Graphs  on  a  larger  scale  than  those  of  Figures  9-2  and 
9-3  would  show  that  such  explosions  typically  take  place  within  a  short  series  of 
perhaps  30  updates,  and  vanish  even  more  quickly. 

Of  course  any  practical  implementation  of  this  theory  would  need  to  pre¬ 
vent  sudden  bursts  in  relation  size:  the  growth  and  collapse  use  a  lot  of  resources. 
The  obvious  means  would  be  a  limit  on  the  number  of  times  any  one  tuple  can 
be  split  before  more  complete  information  on  its  null  values  is  required. 

Sudden  collapses  in  relation  size,  other  than  those  following  a  sudden  burst 
in  size,  are  very  rare.  This  is  because  the  base  size  of  the  relation — its  size  when 
not  in  a  dramatic  peak — is  determined  not  by  datoms  that  have  been  split  many 
times,  but  by  datoms  that  axe  either  true  in  all  alternative  worlds  or  at  most 
have  been  split  just  a  few  times.  There  is  no  way  to  delete  many  of  these  datoms 
within  a  few  updates,  because  the  number  of  datoms  selected  by  the  DELETE 
operator  is  not  a  function  of  relation  size. 

Figures  9-2  and  9-3  do  not  show  the  initial  growth  of  the  relations  from 
200  to  their  eventual  base  size  of  approximately  400  datoms.  Recall  that  at  the 
beginning  of  a  simulation  nm,  all  datoms  are  known  to  be  true  in  all  alternative 
worlds.  The  initial  phase  of  growth  lasts  for  several  hundred  updates,  as  the 
initial  datoms  in  the  relations  are  replaced  by  datoms  that  are  not  so  likely  to 
be  true  in  all  alternative  worlds.  As  such  datoms  are  likely  to  be  split  several 
times  before  they  are  DELETEd  or  ASSERTed,  the  long-term  expected  size  of  the 
relation  is  greater  than  its  initial  size. 

We  had  planned  to  do  the  simulation  runs  with  much  larger  initial  relation 
sizes,  say  10  000  tuples.  However,  the  VAX  did  not  take  kindly  to  keeping  all  the 
data  structures  for  statistics  for  such  large  relations.  In  addition,  the  random 
numbers  used  at  every  phase  of  execution  gave  terrible  locality  to  the  datom  ac¬ 
cess  patterns.  We  tested  the  behavior  of  relations  with  initial  sizes  of  between  20 
and  5000  tuples  to  see  what  relationship  held  between  starting  size  and  eventual 
size,  with  the  hope  that  a  smaller  starting  size  would  suffice.  We  found  that  in 
all  cases,  the  relation  size  after  a  long  series  of  updates  is  a  function  of  the  initial 
relation  size,  and  that  for  initial  sizes  over  100  tuples,  the  relations  grew  to  be¬ 
tween  1.5  and  2  times  their  initial  size  before  stabilizing.  For  example,  an  initial 
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relation  size  of  1000  tuples  grew  to  an  average  base  size  of  2000  tuples  after  a  se¬ 
ries  of  1500  or  more  updates.  Smaller  starting  sizes  had  to  grow  proportionately 
more  before  reaching  stability;  relations  of  fewer  than  80  tuples  stood  in  danger 
of  being  wiped  out  by  an  unlucky  sequence  of  ASSERT  and  DELETE  requests.  For 
example,  the  smallest  relation  in  Figure  9-2  drops  down  below  100  tuples  after 
update  4500,  and  to  size  zero  soon  thereafter.  Even  1500  updates  later,  that 
relation  still  had  fewer  than  20  datoms.  This  opened  up  the  possibility  that  100 
datoms  was  a  size  threshold  for  stability;  however,  this  hypothesis  was  discredited 
by  a  separate  simulation  run  using  initial  sizes  of  20  datoms.  In  this  latter  run, 
the  relation  size  stabilized  at  a  base  of  100  tuples.  From  the  group  of  test  runs 
we  conducted,  we  concluded  that  simulation  runs  with  an  initial  relation  size  of 
200  datoms  were  adequate  for  our  purposes. 

The  exact  pattern  of  relation  size  peaks  and  valleys  is  highly  variable.  For 
example,  changing  the  random  number  seed,  or  changing  the  initial  relation  size 
from  200  to  199  or  201  datoms,  was  found  to  lead  to  a  very  different  pattern  of 
growth  and  shrinkage. 

What  effect  did  assertions  have  in  keeping  down  the  size  of  the  relations? 
A  sample  run  with  the  assertion  routines  disabled  showed  slow,  steady  growth  in 
the  size  of  the  relations,  so  that  an  initial  relation  size  of  200  datoms  had  grown 
to  over  20,000  datoms  in  the  three  relations  after  approximately  850  updates. 

When  the  percentage  of  ASSERT  requests  was  lowered  to  10%  by  disabling 
the  ASSERT  routine  half  the  time,  then  after  1000  updates,  the  three  relations  of 
initial  size  200  had  grown  to  a  combined  base  size  of  over  3500  tuples.  After  1500 
updates,  the  combined  base  size  was  over  6000  tuples.  Relations  of  initial  size 
100  headed  towards  size  infinity  at  the  same  steady  pace. 

The  second  phase  of  experimentation  involved  measuring  disk  accesses 
required  for  a  series  of  queries  after  a  long  series  of  updates.  From  examination 
of  the  pattern  of  growth  and  shrinkage,  we  determined  that  1000  updates  were 
sufficient  to  “randomize”  the  initial  relations  fully  and  to  stabilize  the  relation 
sizes.  The  base  relation  size  remained  the  same  from  the  1000th  update  on 
through  the  10  000th,  which  was  the  largest  number  of  iterations  we  tried. 

Because  relation  size  was  subject  to  dramatic  temporary  fluctuations,  we 
did  not  want  to  measure  the  disk  access  cost  of  queries  at  a  moment  when  the 
relations  were  at  an  unrealistic  size  peak  that  would  not  have  been  permitted  in 
a  more  practical  setting.  However,  this  turned  out  not  to  be  a  problem,  as  for 
the  test  runs  we  used  in  measuring  disk  accesses,  the  relation  sizes  were  all  quite 
reasonable  after  exactly  1000  updates. 

9.7.2.  Disk  Access  Measurements 

This  section  compares  the  performance  during  query  processing  of  an  extended 
relational  theory  and  a  complete-information  relational  database.  The  first  task 
of  such  a  comparison  is  to  decide  what  constitutes  a  fair  comparison:  what  should 
be  the  characteristics  of  the  complete-information  database?  To  determine  this, 
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we  examined  the  internal  state  of  an  extended  relational  theory  after  a  long  series 
of  updates,  in  order  to  determine  the  approximate  size  of  each  of  its  relations  in 
its  alternative  worlds  by  examining  the  cardinality  of  its  alternative  sets.  In  the 
process  we  garnered  information  about  the  number  and  makeup  of  the  alternative 
sets  in  an  extended  relational  theory  after  a  long  series  of  updates. 

The  extended  relational  theory  used  in  this  discussion  was  generated  by 
applying  a  series  of  1000  updates  to  relations  of  initial  size  200.  This  theory  was 
described  in  the  previous  section,  and  the  major  input  parameters  for  the  theory 
axe  listed  in  Table  9-1.  At  the  end  of  the  generation  process,  the  three  relations 
had  sizes  485,  600,  and  358,  respectively.  An  examination  of  the  alternative 
sets  of  the  theory  showed  that  an  alternative  world  of  this  theory  would  have 
approximately  225,  199,  and  139  tuples,  respectively,  in  its  three  relations.  The 
largest  alternative  set  found  contained  130  datoms,  most  of  them  from  relation 
three.  This  correlated  with  the  findings  of  test  runs  on  complete-information 
relations  of  initial  size  200,  which  showed  that  the  average  relation  size  was 
still  approximately  200  tuples  after  1000  updates.  We  concluded  that  a  fair 
comparison  could  be  obtained  by  running  the  queries  on  a  complete-information 
relational  database  with  200  tuples  in  each  relation. 

Experimental  runs  of  100  to  500  queries  on  this  complete-information 
database  showed  wide  variation — as  much  as  a  factor  of  three — in  the  seeks,  la¬ 
tencies,  and  block  transfers  needed,  depending  on  the  choice  of  a  random  number 
seed.  We  traced  this  problem  to  the  presence  of  joins  whose  result  was  the  carte¬ 
sian  product  of  the  two  relations.  To  achieve  greater  stability,  such  joins  were 
prohibited.  Once  this  step  was  taken,  disk  access  requirements  were  fairly  uni¬ 
form  over  different  choices  of  random  number  seeds.  We  averaged  the  results 
from  eight  typical  runs  of  100  queries  to  get  complete-information  seek,  latency, 
and  block  transfer  totals.  These  figures  are  shown  in  Table  9-2. 

Another  factor  threatened  to  prevent  a  realistic  comparison.  If  joins  are 
done  on  attributes  containing  unrestricted  nulls,  then  datoms  containing  nulls 
on  those  attributes  will  match  with  every  datom  in  the  joining  relation.  The 
volatility  of  this  type  of  n2  join  had  already  been  demonstrated  in  the  complete- 
information  case.  To  avoid  spurious  comparisons,  we  chose  to  restrict  joins  to 
the  null-free  attribute  of  each  of  the  relations. 

As  mentioned  earlier,  we  assume  that  each  alternative  set  and  mark  list  fits 
on  one  block  of  disk  storage.  When  the  satisfiability  tester  is  called,  it  recursively 
visits  all  alternative  sets  that  each  selected  datom  appears  in,  all  alternative  sets 
that  the  atoms  in  those  sets  appear  in,  and  so  on.  Once  an  alternative  set  has 
been  visited  during  a  query,  it  is  completely  read  into  memory  at  that  time  and 
remains  in  memory  until  the  end  of  that  query.  Similarly,  once  a  MarkList  is 
referenced  it  is  assumed  to  remain  in  memory  until  the  end  of  the  query.  At  the 
end  of  each  query,  the  alternative  sets  and  mark  lists  are  flushed  from  memory. 

The  disk  access  requirements  shown  in  Table  9-2  for  the  incomplete- 
information  theory  are  the  averages  of  a  set  of  six  runs  taken  with  different 
random  number  seeds  at  query  time  and  otherwise  identical  input  data;  the  same 
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Complete  Information 
Incomplete  Information 

Table  9-2.  Disk  accesses  during  processing  of  100  queries. 

input  data  for  queries  were  used  as  for  the  complete-information  database. 

Table  9-2  shows  that  the  presence  of  incomplete  information  causes  a  three¬ 
fold  increase  in  disk  access  costs  for  a  series  of  queries.  Examination  of  the  raw 
data  showed  that  most  of  the  extra  cost  does  not  come  from  accesses  to  alter¬ 
native  sets  and  mark  lists;  rather,  the  more  mundane  accessing  of  datom  space 
records  alone  more  than  doubles  the  average  disk  access  requirements.  Since 
there  are  twice  as  many  stored  datoms  in  the  incomplete-information  theory  as 
in  the  complete-information  database,  this  is  not  surprising. 

9.7.3.  General  Discussion 

When  this  project  began,  it  was  unclear  what  level  of  ASSERT  requests  would 
be  required  to  keep  the  extended  relational  theory  from  growing  without  bound. 
We  found  that  20%  assertions  provided  size  stability,  and  10%  produced  slow 
growth,  when  40%  of  the  updates  were  modifications,  and  the  rest  were  evenly 
split  between  insertions  and  deletions.  As  for  disk  access  costs,  the  presence  of 
incomplete  information  in  the  database  caused  an  approximate  doubling  in  the 
number  of  stored  datoms  and  an  approximate  threefold  increase  in  disk  accesses 
required  during  query  processing,  for  the  case  where  joins  were  not  permitted  on 
attributes  containing  unrestricted  null  values.  This  increase  seems  reasonable, 
since  intuitively  the  presence  of  null  values  will  cause  many  more  datoms  to 
appear  to  satisfy  the  selection  clause  of  an  incoming  query. 

One  unusual  feature  of  the  implementation  is  its  use  of  tuple  splitting  in 
an  attempt  to  avoid  complicated  logical  inferences  over  datoms.  It  is  not  clear 
whether  tuple  splitting  has  any  advantages  as  an  implementation  strategy.  On 
the  one  hand,  tuple  splitting  made  the  relation  size  a  clear  indicator  of  the  prolif¬ 
eration  of  uncertainty  within  the  extended  relational  theory.  On  the  other  hand, 
tuple  splitting  was  responsible  for  the  sudden  spurts  and  drops  in  relation  size.  In 
a  practical  implementation  of  this  approach,  those  irregularities  in  relation  size 
would  have  to  be  ironed  out  by  establishing  limits  on  the  permissible  number  of 
splits.  This  points  out  another  potential  advantage  of  tuple  splitting,  in  that  it  is 
easy  to  detect  the  most  common  situations  where  uncertain  data  will  have  a  big 
impact  on  processing  costs.  On  the  other  hand,  such  record-keeping  could  prob¬ 
ably  be  incorporated  into  a  more  direct  implementation  of  logical  relationships 
as  well.  Finally,  it  is  not  clear  to  what  extent  the  high  disk  access  requirements 
for  the  database  were  due  to  the  use  of  tuple  splitting. 

The  implementation  uses  a  uniform  probability  distribution  to  select 
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datoms  from  a  relation  during  the  selection  phase  of  query  and  update  process¬ 
ing.  A  more  realistic  model  (and  one  which  would  lead  to  more  optimistic  results) 
would  be  to  use  Zipf’s  law  [Knuth  73]  and  use  a  distribution  that  directed  90%  of 
the  updates  to  10%  of  the  extended  relational  theory  datoms,  90%  of  that  90% 
to  10%  of  that  10%,  and  so  on;  and  that  directed  80%  of  the  queries  to  20%  of 
the  extended  relational  theory  datoms,  80%  of  that  80%  to  20%  of  that  20%,  and 
so  on.  Zipf’s  law  would  improve  the  in-memory  performance  of  the  implementa¬ 
tion,  because  it  would  tend  to  localize  uncertainties  into  little  clusters.  The  most 
expensive  processing  occurs  when  a  chain  of  interrelated  uncertainties  sprawls 
across  the  extended  relational  theory;  a  Zipfian  distribution  would  tend  to  keep 
uncertainty  local.  Because  processing  cost  may  be  exponential  in  the  length  of 
the  chain  of  interrelated  uncertainty,  short  localized  chains — in  particular,  chains 
of  guaranteed  bounded  length — would  put  a  tight  cap  on  the  CPU  cost  of  query 
answering.  In  particular,  if  chain  lengths  are  bounded  by  a  constant,  then  query 
answering  will  no  longer  be  NP-complete^;  the  worst-case  running  time  of  a 
query  will  be  polynomial  in  the  size  of  the  extended  relational  theory.  This  (9(1) 
hypothesis — the  belief  that  chains  will  be  of  bounded  length — is  a  very  important 
point,  so  let  us  elaborate  on  it  a  bit. 

It  is  not  uncertainty  per  se  that  makes  query  processing  expensive;  in¬ 
memory  processing  only  gets  expensive  when  attribute  values  are  uncertain  and 
they  depend  on  other  uncertain  values,  which  in  turn  depend  on  other  uncertain 
values,  and  so  on.  For  example,  it’s  not  really  a  problem  if  I  don’t  know  your 
salary,  and  I  don’t  know  the  number  of  orders  outstanding  in  the  warehouse,  and 
I  don’t  know  who  your  boss  is;  it  only  really  becomes  a  problem  if  in  addition 
your  salary  depends  on  who  your  boss  is,  and  that  in  turn  depends  on  the  number 
of  orders  outstanding  in  the  warehouse,  and  so  on.  The  length  of  that  chain  of 
uncertainty  is  what  determines  the  cost  of  query  processing.  I  hypothesize  that 
in  “real  life,”  that  chain  of  uncertainty  is  short:  0(1),  i.e.,  of  length  bounded  by 
a  constant.  In  other  words,  your  salary  is  not  going  to  depend  on  datoms  far  off 
in  another  corner  of  the  extended  relational  theory.  Zipf’s  law,  which  has  been 
observed  to  hold  for  many  natural  phenomena,  supports  the  0(1)  hypothesis.  Of 
course  there  is  no  formal  method  to  prove  or  disprove  this  hypothesis;  consider 
it  an  argument  against  entropy  in  the  extended  relational  theory,  where  entropy 
is  defined  as  the  Murphy’s-Law  state  of  affairs  wherein  the  length  of  chains  of 
interrelated  uncertainties  grows  as  the  size  of  the  extended  relational  theory. 

Entropy  does  have  an  ally,  however.  Since  people  are  naturally  messy, 
their  extended  relational  theories  will  tend  to  get  messy  and  cluttered  with  old, 
irrelevant  uncertainties.  A  certain  amount  of  energy  will  have  to  be  expended 
into  keeping  the  extended  relational  theory  clean  with  ASSERT.  Feedback  on  per¬ 
formance  bottlenecks  should  suffice  to  motivate  periodic  clean-ups. 


t  Or  co-.VP-complete,  depending  on  the  exact  query  language  allowed  [Vardi  85]. 
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Chapter  10:  Open  Questions,  Summary,  and  Conclusions 


This  chapter  reviews  summarizes  the  findings  of  Chapters  3  through  9  and 
proposes  a  number  of  questions  for  future  work. 

10.1.  Open  Questions 

Some  obvious  directions  for  future  work  axe  in  the  areas  of  the  relaxation  of  the 
closed-world  assumption,  minimization  of  the  size  of  extended  relational  theories, 
the  cost  of  query  answering,  axiom  enforcement,  lazy  evaluation,  and  incorpora¬ 
tion  of  other  types  of  incomplete  information. 

The  closed-world  assumption.  How  would  the  algorithms  presented  in  this 
thesis  differ  if  the  open-world  assumption  were  used  rather  than  a  closed-world 
approach?  Essentially,  Step  1  of  the  Update  Algorithm  can  be  eliminated,  and 
dependency  enforcement  becomes  more  difficult.  This  question  is  investigated 
in  some  detail  in  [Winslett  86c],  and  the  reader  is  referred  to  that  publication 
for  details.  Conditions  for  update  equivalence  under  the  open-world  assumption 
have  yet  to  be  specified,  and  there  is  much  more  to  be  said  about  axiom  enforce¬ 
ment  in  the  AI  realm,  as  different  types  of  enforcement  axe  needed  there  than 
those  natural  in  the  database  environment.  The  problem  of  axiom  enforcement 
gradually  shades  into  that  of  revision  of  beliefs  in  the  face  of  conflicting  evidence. 

Minimization  of  the  size  of  extended  relational  theories.  A  more  thorough 
investigation  is  needed  into  efficient  heuristic  techniques  for  minimizing  the  size 
of  the  formulas  added  to  the  theory  during  updates.  Simplification  heuristics  are 
vital  for  efficient  execution,  and  were  at  the  core  of  the  implementation  of  the 
Update  Algorithm  coded  by  the  author. 

The  cost  of  query  answering.  There  is  more  to  be  said  on  exactly  when 
answering  a  query  placed  to  an  extended  relational  theory  takes  a  long  time.  Of 
course  query  answering  will  be  at  least  as  hard  as  satisfiability  testing,  and  the 
exact  difficulty  will  depend  on  the  query  language  allowed  [Vardi  85].  An  inter¬ 
esting  question  is  how  the  history  predicates  affect  the  complexity.  In  the  worst 
case,  query  answering  will  be  AfP-hard  in  the  number  of  history  atoms  present 
in  the  extended  relational  theory,  but  we  conjecture  that  the  time  taken  up  by 
computations  on  history  atoms  can  be  bounded  by  a  function  of  the  complexity 
of  the  database  before  those  atoms  were  introduced. 

Axiom  enforcement.  The  work  on  strict  enforcement  of  type  and  depen¬ 
dency  axioms  should  be  extended,  so  far  as  is  possible,  to  axioms  containing 
existential  quantification,  and  to  different  types  of  enforcement. 
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Lazy  evaluation.  There  is  a  good  deal  more  to  be  said  about  lazy  evalu¬ 
ation  of  updates,  and  quite  a  bit  more  to  be  proven  about  lazy  evaluation.  For 
example,  refinement  of  the  update  cost  estimation  function  of  Chapter  5  would 
be  helpful,  as  would  measures  of  the  effectiveness  of  lazy  evaluation  for  updates 
with  arbitrary  selection  clauses. 

Other  types  of  incomplete  information.  How  might  an  update  paradigm 
such  as  those  discussed  in  this  thesis  be  combined  with  other  types  of  incomplete 
information?  For  example,  how  could  this  approach  be  integrated  with  fuzzy  sets 
[Zadeh  79],  probabilistic  logic  [Nilsson  86],  or  inapplicable  null  values  [Vassiliou 
80,  Zaniolo  82]? 

10.2.  Summary  and  Conclusions 

In  this  thesis  we  represent  databases  containing  incomplete  information  as  logical 
theories,  and  view  the  models  of  the  theory  as  representing  possible  states  of 
the  world  that  are  consistent  with  all  known  information.  The  bodies  of  these 
extended  relational  theories  allow  incomplete  information  to  appear  in  the  form 
of  disjunctions  or  Skolem  constants  (a.k.a.  null  values).  Any  ground  formula 
may  appear  in  the  theory  body  and,  depending  on  the  needs  of  the  application, 
quantified  formulas  may  be  permitted  as  well.  In  this  latter  case,  the  extended 
relational  theory  may  be  any  first-order  theory. 

We  set  forth  a  language  and  semantics  for  updates,  and  a  series  of  al¬ 
gorithms  for  incorporating  updates  into  the  extended  relational  theory.  These 
Update  Algorithms  are  proven  correct  in  the  sense  that  the  alternative  worlds 
produced  under  the  algorithms  are  the  same  as  those  produced  by  processing  the 
update  in  each  alternative  world  individually.  For  updates  and  theories  without 
Skolem  constants,  the  Update  Algorithm  has  the  same  asymptotic  cost  as  for  an 
ordinary  complete-information  database  update,  but  may  increase  the  size  of  the 
extended  relational  theory.  For  updates  involving  Skolem  constants,  the  increase 
in  size  will  be  severe  if  many  atomic  formulas  in  the  theory  unify  with  those  in  the 
update;  if  desired,  a  lazy  evaluation  technique  may  be  used  to  control  expansion. 

As  a  corollary  to  this  work,  in  the  case  where  quantifiers  are  allowed  to 
appear  in  the  body  of  the  extended  relational  theory,  the  Update  Algorithm  serves 
as  an  efficient  means  of  implementing  updates  to  arbitrary  first-order  theories 
under  a  model-based  semantics. 

When  dependency  axioms  are  added  to  this  framework,  additional  mech¬ 
anisms  are  required  to  enforce  those  axioms  when  updates  are  processed.  For 
a  particular  definition  of  enforcement,  we  developed  mechanisms  to  handle  uni¬ 
versally  quantified  dependency  axioms  during  updates,  and  incorporated  those 
mechanisms  into  the  Update  Algorithm.  The  cost  of  enforcement  is  reasonable  for 
common  varieties  of  axioms,  such  as  functional  and  multi-valued  dependencies. 

A  simulation  program  has  been  constructed  for  the  Update  Algorithm, 
with  heavy  emphasis  on  optimization  of  the  algorithms  for  the  expected  types 
of  queries  and  updates  in  a  typical  database  management  system  scenario.  We 
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found  that  for  a  reasonable  pattern  of  input  queries  and  updates,  the  size  of  the 
extended  relational  theory  fluctuated  from  moment  to  moment,  but  did  not  grow 
over  time.  For  this  pattern  of  queries  and  updates,  the  disk  access  requirements  of 
the  extended  relational  theory  were  found  to  be  three  times  greater  diming  query 
processing  than  for  a  comparable  complete-information  relational  database. 

The  techniques  used  in  the  Update  Algorithm  can  be  used  as  the  basis 
for  efficient  processing  of  updates  under  a  wide  range  of  semantics.  We  discussed 
the  general  class  of  semantics  for  which  the  Update  Algorithm  approach  is  help¬ 
ful,  and  gave  special  attention  to  several  interesting  choices  of  semantics.  We 
introduced  the  concept  of  update  equivalence  as  one  means  of  investigating  the 
properties  of  a  potential  choice  of  semantics,  and  provided  theorems  on  update 
equivalence  for  a  variety  of  semantics.  It  is  our  hope  that  the  use  of  mathemati¬ 
cal  logic  in  this  work,  and  the  attempt  to  free  the  approach  from  considerations 
native  to  any  one  application  domain,  will  render  these  update  techniques  useful 
in  the  future  for  applications  in  a  wide  variety  of  domains. 

In  sum  we  have  shown  that,  first,  the  concept  of  a  database  update  can  be 
extended  to  databases  with  incomplete  information  in  a  natural  way;  second,  that 
first-order  logic  is  a  fruitful  paradigm  and  tool  for  the  investigation  of  incomplete 
information;  and  third,  that  one  may  construct  an  algorithm  to  perform  these 
updates  with  a  reasonable  running  time. 
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